icedid | 81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142

General

Target

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Size

292KB
MD5

f556e6b16e85811de359115fa95f9fce
SHA1

a055f68ab7b2d53e81aa77e3a3820319c6b25376
SHA256

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142
SHA512

0e1b267c956e788ed9852f09da1b594143c7076a8b59642b88020ea68bddd2055951b97e001251ffed4225b4923dd78ba61f29d47875119c96b336ce7d5d6899

Score

10^/10

icedid smokeloader 2715004312 backdoor banker loader suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nahbleiben.at/upload/

http://noblecreativeaz.com/upload/

http://tvqaq.cn/upload/

http://recmaster.ru/upload/

http://sovels.ru/upload/

rc4.i32

Extracted

Family

icedid

Campaign

2715004312

C2

badgoodreason.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1032-61-0x00000000001F0000-0x00000000001FB000-memory.dmp	IcedidFirstLoader

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

98A7.exe

pid process

1032 98A7.exe
Deletes itself 1 IoCs

Processes:

pid process

1200
Loads dropped DLL 6 IoCs

Processes:

WerFault.exe

pid process

1200
1648 WerFault.exe
1648 WerFault.exe
1648 WerFault.exe
1648 WerFault.exe
1648 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1648 1032 WerFault.exe 98A7.exe

pid	process
1032	98A7.exe

pid	process
1200

pid	process
1200
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe

pid	pid_target	process	target process
1648	1032	WerFault.exe	98A7.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

98A7.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	98A7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	98A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	98A7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	98A7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

pid	process
744	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
744	81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1200
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe

pid process

744 81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1648 WerFault.exe
Token: SeShutdownPrivilege 1200
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1200
1200
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1200
1200
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

98A7.exe

pid process

1032 98A7.exe

pid	process
1200

description	pid	process
Token: SeDebugPrivilege	1648	WerFault.exe
Token: SeShutdownPrivilege	1200

pid	process
1200
1200

pid	process
1200
1200

pid	process
1032	98A7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

98A7.exe

description	pid	process	target process
PID 1200 wrote to memory of 1032	1200		98A7.exe
PID 1200 wrote to memory of 1032	1200		98A7.exe
PID 1200 wrote to memory of 1032	1200		98A7.exe
PID 1032 wrote to memory of 1648	1032	98A7.exe	WerFault.exe
PID 1032 wrote to memory of 1648	1032	98A7.exe	WerFault.exe
PID 1032 wrote to memory of 1648	1032	98A7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe
"C:\Users\Admin\AppData\Local\Temp\81158169a9868527feaed169deb8e4cad232e33721a96075797d86fc1a782142.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:744

C:\Users\Admin\AppData\Local\Temp\98A7.exe
C:\Users\Admin\AppData\Local\Temp\98A7.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1032 -s 976
2⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\98A7.exe

MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
memory/744-54-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/744-55-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/744-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/744-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1032-61-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/1200-58-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1648-62-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1648-69-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads