icedid | 0049eeaf93e156383f1ab7e68282cc53aea677d62254087c9e199f01ae356cd1

General

Target

0049eeaf93e156383f1ab7e68282cc53aea677d62254087c9e199f01ae356cd1.dll
Size

614KB
MD5

dd9a900b5609b9458ad2cb724cc02f2b
SHA1

7bc65ba09f22681e0686f67fd435c12ec3918a16
SHA256

0049eeaf93e156383f1ab7e68282cc53aea677d62254087c9e199f01ae356cd1
SHA512

2e3a5eaa9cba16a2008c339d1394bbfec0055bf05b1fe05cb7963ca2505a33aa57729cbda162f8f5370bc6aa733c8fd0c739d04668c2b915564890163873f438

Score

10^/10

icedid 1732687004 banker suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

1732687004

C2

keepfootbal.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1680 regsvr32.exe
1680 regsvr32.exe

pid	process
1680	regsvr32.exe
1680	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	388	svchost.exe
Token: SeCreatePagefilePrivilege	388	svchost.exe
Token: SeShutdownPrivilege	388	svchost.exe
Token: SeCreatePagefilePrivilege	388	svchost.exe
Token: SeShutdownPrivilege	388	svchost.exe
Token: SeCreatePagefilePrivilege	388	svchost.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe
Token: SeRestorePrivilege	1756	TiWorker.exe
Token: SeSecurityPrivilege	1756	TiWorker.exe
Token: SeBackupPrivilege	1756	TiWorker.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0049eeaf93e156383f1ab7e68282cc53aea677d62254087c9e199f01ae356cd1.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-134-0x00000157E0190000-0x00000157E01A0000-memory.dmp

Filesize
64KB

Download
memory/388-133-0x00000157E0130000-0x00000157E0140000-memory.dmp

Filesize
64KB

Download
memory/388-135-0x00000157E2E80000-0x00000157E2E84000-memory.dmp

Filesize
16KB

Download
memory/1680-136-0x0000000001380000-0x000000000138A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing