icedid | c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2

General

Target

youTube.hta
Size

3KB
MD5

55d9eab53d4063a53b6ed05f7b1e75e7
SHA1

e6b4c81676d3ef0d2f7d08a6cc2ad90eb54908c3
SHA256

c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2
SHA512

e90768d87c7b191d41d3944957725db0e1f29fa865e24fd7308656fc9249ca0a5d1bd0abeda3bbc68528efc0ce6bc3a79eb434c375fd5c6ec90455c6e19a74f9

Score

10^/10

icedid 1892568649 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

1892568649

C2

normyils.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 756 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

764 regsvr32.exe
1060 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1060 regsvr32.exe
1060 regsvr32.exe

flow	pid	process
5	756	mshta.exe

pid	process
764	regsvr32.exe
1060	regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1060	regsvr32.exe
1060	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

mshta.exeregsvr32.exe

description	pid	process	target process
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 756 wrote to memory of 764	756	mshta.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe
PID 764 wrote to memory of 1060	764	regsvr32.exe	regsvr32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\youTube.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\regsvr32.exe
    c:\users\public\dowNext.jpg
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\public\dowNext.jpg

MD5
c678467920675b97d0e84875b3446fca

SHA1
cbceb503769165d90fed68acf608f98a0616f3ce

SHA256
940a9b894d5ce0d10e81cde6ac0cbbd833f39e876d6292e73a3e27167febc2b8

SHA512
3cd25b8a5cb39cc9722d9c8af67e384048bf2ec04f5c3395d34b6002032efe007a3e1b4ba464288fc2a0de174377c79fd71627c7308e9030ea12de2f5ebdc4bb

Download Submit
\Users\Public\dowNext.jpg

MD5
c678467920675b97d0e84875b3446fca

SHA1
cbceb503769165d90fed68acf608f98a0616f3ce

SHA256
940a9b894d5ce0d10e81cde6ac0cbbd833f39e876d6292e73a3e27167febc2b8

SHA512
3cd25b8a5cb39cc9722d9c8af67e384048bf2ec04f5c3395d34b6002032efe007a3e1b4ba464288fc2a0de174377c79fd71627c7308e9030ea12de2f5ebdc4bb

Download Submit
\Users\Public\dowNext.jpg

MD5
c678467920675b97d0e84875b3446fca

SHA1
cbceb503769165d90fed68acf608f98a0616f3ce

SHA256
940a9b894d5ce0d10e81cde6ac0cbbd833f39e876d6292e73a3e27167febc2b8

SHA512
3cd25b8a5cb39cc9722d9c8af67e384048bf2ec04f5c3395d34b6002032efe007a3e1b4ba464288fc2a0de174377c79fd71627c7308e9030ea12de2f5ebdc4bb

Download Submit
memory/764-55-0x0000000000000000-mapping.dmp

Download
memory/764-56-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1060-59-0x0000000000000000-mapping.dmp

Download
memory/1060-60-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/1060-62-0x0000000000120000-0x0000000000183000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing