icedid | 11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f

General

Target

11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe
Size

185KB
MD5

6b3b05d88c27ebec4effcdf9ce592de0
SHA1

e83041739c36aa198acd7dbbea1e64111fb0c38b
SHA256

11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f
SHA512

7abd5037008f5b6245190d5b7eae7c2aee79e7978bb88ba6032fb1d775b79792d3c21bea6d51f5380ec52ce91d1d34e5e127844490767e3e35f2a988e9447fd3

Score

10^/10

icedid smokeloader 1976347518 backdoor banker suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Extracted

Family

icedid

Campaign

1976347518

C2

portedauthenticati.ink

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

6AEB.exeSmartClock.exeD5DB.exeE78F.exe

pid process

8 6AEB.exe
3364 SmartClock.exe
2308 D5DB.exe
2012 E78F.exe
Deletes itself 1 IoCs

Processes:

pid process

3028
Drops startup file 1 IoCs

Processes:

6AEB.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 6AEB.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
8	6AEB.exe
3364	SmartClock.exe
2308	D5DB.exe
2012	E78F.exe

pid	process
3028

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	6AEB.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3364 SmartClock.exe

pid	process
3364	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe

pid	process
2720	11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe
2720	11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe

pid process

2720 11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe

pid	process
3028

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

D5DB.exe

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	2308	D5DB.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6AEB.exe

description	pid	process	target process
PID 3028 wrote to memory of 8	3028		6AEB.exe
PID 3028 wrote to memory of 8	3028		6AEB.exe
PID 3028 wrote to memory of 8	3028		6AEB.exe
PID 8 wrote to memory of 3364	8	6AEB.exe	SmartClock.exe
PID 8 wrote to memory of 3364	8	6AEB.exe	SmartClock.exe
PID 8 wrote to memory of 3364	8	6AEB.exe	SmartClock.exe
PID 3028 wrote to memory of 2308	3028		D5DB.exe
PID 3028 wrote to memory of 2308	3028		D5DB.exe
PID 3028 wrote to memory of 2308	3028		D5DB.exe
PID 3028 wrote to memory of 2012	3028		E78F.exe
PID 3028 wrote to memory of 2012	3028		E78F.exe

C:\Users\Admin\AppData\Local\Temp\11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe
"C:\Users\Admin\AppData\Local\Temp\11a3c2f9bfa57c07f1a8fd8afe0071f775ccde87e3abdfb5f8f06caf3d18435f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2720

C:\Users\Admin\AppData\Local\Temp\6AEB.exe
C:\Users\Admin\AppData\Local\Temp\6AEB.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3364

C:\Users\Admin\AppData\Local\Temp\D5DB.exe
C:\Users\Admin\AppData\Local\Temp\D5DB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\E78F.exe
C:\Users\Admin\AppData\Local\Temp\E78F.exe
1⤵
- Executes dropped EXE
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6AEB.exe
MD5
23f7abd6cd6abedfb39c0a3d7c5d84d9

SHA1
e0775d4503e75cf6021112b7567cbbf317754abd

SHA256
e21619a3046918661695229131b6da6569d58460e31b043b620ce5db160031ed

SHA512
9ca0d74abffb16767c92c3deb99ff7b4b1e8117584564a77235bc07bb1541c4a37bec1b09e4624df9d32414e9df6ddd18e118e17f53bf73287f3b173871205cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6AEB.exe
MD5
23f7abd6cd6abedfb39c0a3d7c5d84d9

SHA1
e0775d4503e75cf6021112b7567cbbf317754abd

SHA256
e21619a3046918661695229131b6da6569d58460e31b043b620ce5db160031ed

SHA512
9ca0d74abffb16767c92c3deb99ff7b4b1e8117584564a77235bc07bb1541c4a37bec1b09e4624df9d32414e9df6ddd18e118e17f53bf73287f3b173871205cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5DB.exe
MD5
4f0bdd79f373e79c29c5b778d2c02bc0

SHA1
029e432f4ad15b9711d87af60ffb6cd832c0512b

SHA256
4852d57a7359372dba40d704476b1f07fafe8359d447446729d56bcaea3398df

SHA512
3037b4557201f3352d694de919fdfc289d9a8c31158a6ae9a89c0c73bde98078f0337c44ee6ebb79cdc70ded6aad200f9eb4ae6719b49004260a0918d5fcff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5DB.exe
MD5
4f0bdd79f373e79c29c5b778d2c02bc0

SHA1
029e432f4ad15b9711d87af60ffb6cd832c0512b

SHA256
4852d57a7359372dba40d704476b1f07fafe8359d447446729d56bcaea3398df

SHA512
3037b4557201f3352d694de919fdfc289d9a8c31158a6ae9a89c0c73bde98078f0337c44ee6ebb79cdc70ded6aad200f9eb4ae6719b49004260a0918d5fcff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78F.exe
MD5
482546ac36d7158aee1d98e851bb438a

SHA1
f8d60730daf9f513fe7a8607b3fd2d240a37eb91

SHA256
88dd28e5663fc93826bfd0d281f596578b89dcc73e638fbe1e69d1b6360122ed

SHA512
4f2f19f860fd488186d5f8e5f5cfd5884574d753b0bd31b6987a9c23dde7626e1cb3b796ba6edf03241455deb46a3452bc09e81fb3734230d27d6ddc967f6f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E78F.exe
MD5
482546ac36d7158aee1d98e851bb438a

SHA1
f8d60730daf9f513fe7a8607b3fd2d240a37eb91

SHA256
88dd28e5663fc93826bfd0d281f596578b89dcc73e638fbe1e69d1b6360122ed

SHA512
4f2f19f860fd488186d5f8e5f5cfd5884574d753b0bd31b6987a9c23dde7626e1cb3b796ba6edf03241455deb46a3452bc09e81fb3734230d27d6ddc967f6f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
23f7abd6cd6abedfb39c0a3d7c5d84d9

SHA1
e0775d4503e75cf6021112b7567cbbf317754abd

SHA256
e21619a3046918661695229131b6da6569d58460e31b043b620ce5db160031ed

SHA512
9ca0d74abffb16767c92c3deb99ff7b4b1e8117584564a77235bc07bb1541c4a37bec1b09e4624df9d32414e9df6ddd18e118e17f53bf73287f3b173871205cf

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
23f7abd6cd6abedfb39c0a3d7c5d84d9

SHA1
e0775d4503e75cf6021112b7567cbbf317754abd

SHA256
e21619a3046918661695229131b6da6569d58460e31b043b620ce5db160031ed

SHA512
9ca0d74abffb16767c92c3deb99ff7b4b1e8117584564a77235bc07bb1541c4a37bec1b09e4624df9d32414e9df6ddd18e118e17f53bf73287f3b173871205cf

Download Submit
memory/8-119-0x0000000000000000-mapping.dmp

Download
memory/8-122-0x0000000002F70000-0x000000000301E000-memory.dmp

Filesize
696KB

Download
memory/8-123-0x0000000004C50000-0x0000000004CE1000-memory.dmp

Filesize
580KB

Download
memory/8-127-0x0000000000400000-0x0000000002F6B000-memory.dmp

Filesize
43.4MB

Download
memory/2012-142-0x0000000000000000-mapping.dmp

Download
memory/2012-145-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/2308-137-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2308-140-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2308-130-0x0000000000000000-mapping.dmp

Download
memory/2308-141-0x0000000004D90000-0x000000000528E000-memory.dmp

Filesize
5.0MB

Download
memory/2308-133-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2308-135-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/2308-136-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2308-139-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2308-138-0x0000000004D90000-0x000000000528E000-memory.dmp

Filesize
5.0MB

Download
memory/2720-116-0x0000000002FE0000-0x000000000312A000-memory.dmp

Filesize
1.3MB

Download
memory/2720-117-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2720-115-0x0000000002FE0000-0x000000000312A000-memory.dmp

Filesize
1.3MB

Download
memory/3028-118-0x0000000000E90000-0x0000000000EA6000-memory.dmp

Filesize
88KB

Download
memory/3364-129-0x0000000000400000-0x0000000002F6B000-memory.dmp

Filesize
43.4MB

Download
memory/3364-128-0x0000000004B70000-0x0000000004BEF000-memory.dmp

Filesize
508KB

Download
memory/3364-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads