icedid | b17485bdb6b377c0c38ab3e2ab83572760ce6c09952506d9202a235b82021a68

Analysis

max time kernel
4294165s
max time network
124s
platform
windows7_x64
resource
win7-20220223-en
submitted
24-02-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d3fc48e2a96e2dc10cf81acf99778a.exe
Size

229KB
MD5

a4d3fc48e2a96e2dc10cf81acf99778a
SHA1

aed6c2b9e92e138d47bd89950b24c77692b243b5
SHA256

b17485bdb6b377c0c38ab3e2ab83572760ce6c09952506d9202a235b82021a68
SHA512

8ecfd5d2a8532385f8433eb1d3d5a17619d473b19e4907effc46b6d2e422adde55a70ee8edd02526f4d2caa2aa0e59f2c07c64d15682df9fe68741785297d2da

Score

10^/10

icedid smokeloader 2715004312 backdoor banker loader suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://pjure.at/upload/

http://puffersweiven.com/upload/

http://algrcabel.ru/upload/

http://pelangiqq99.com/upload/

http://elsaunny.com/upload/

http://korphoto.com/upload/

http://hangxachtaythodoan.com/upload/

http://pkodev.net/upload/

http://go-piratia.ru/upload/

http://piratia.su/upload/

rc4.i32

Extracted

Family

icedid

Campaign

2715004312

badgoodreason.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1380-68-0x0000000000100000-0x000000000010B000-memory.dmp	IcedidFirstLoader

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

38CC.exe59A6.exe70BF.exe

pid process

1380 38CC.exe
1560 59A6.exe
1100 70BF.exe
Deletes itself 1 IoCs

Processes:

pid process

1368
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

1368
1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
1484 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 1380 WerFault.exe 38CC.exe

pid	process
1380	38CC.exe
1560	59A6.exe
1100	70BF.exe

pid	process
1368

pid	process
1368
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe

pid	pid_target	process	target process
1484	1380	WerFault.exe	38CC.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a4d3fc48e2a96e2dc10cf81acf99778a.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4d3fc48e2a96e2dc10cf81acf99778a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4d3fc48e2a96e2dc10cf81acf99778a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a4d3fc48e2a96e2dc10cf81acf99778a.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

38CC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	38CC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	38CC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a4d3fc48e2a96e2dc10cf81acf99778a.exe

pid	process
1144	a4d3fc48e2a96e2dc10cf81acf99778a.exe
1144	a4d3fc48e2a96e2dc10cf81acf99778a.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a4d3fc48e2a96e2dc10cf81acf99778a.exe

pid process

1144 a4d3fc48e2a96e2dc10cf81acf99778a.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

38CC.exe

pid process

1380 38CC.exe

pid	process
1380	38CC.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

38CC.exe

description	pid	process	target process
PID 1368 wrote to memory of 1380	1368		38CC.exe
PID 1368 wrote to memory of 1380	1368		38CC.exe
PID 1368 wrote to memory of 1380	1368		38CC.exe
PID 1368 wrote to memory of 1560	1368		59A6.exe
PID 1368 wrote to memory of 1560	1368		59A6.exe
PID 1368 wrote to memory of 1560	1368		59A6.exe
PID 1368 wrote to memory of 1560	1368		59A6.exe
PID 1368 wrote to memory of 1100	1368		70BF.exe
PID 1368 wrote to memory of 1100	1368		70BF.exe
PID 1368 wrote to memory of 1100	1368		70BF.exe
PID 1368 wrote to memory of 1100	1368		70BF.exe
PID 1380 wrote to memory of 1484	1380	38CC.exe	WerFault.exe
PID 1380 wrote to memory of 1484	1380	38CC.exe	WerFault.exe
PID 1380 wrote to memory of 1484	1380	38CC.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\a4d3fc48e2a96e2dc10cf81acf99778a.exe
"C:\Users\Admin\AppData\Local\Temp\a4d3fc48e2a96e2dc10cf81acf99778a.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1144

C:\Users\Admin\AppData\Local\Temp\38CC.exe
C:\Users\Admin\AppData\Local\Temp\38CC.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1380 -s 924
2⤵
- Loads dropped DLL
- Program crash
PID:1484

C:\Users\Admin\AppData\Local\Temp\59A6.exe
C:\Users\Admin\AppData\Local\Temp\59A6.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\70BF.exe
C:\Users\Admin\AppData\Local\Temp\70BF.exe
1⤵
- Executes dropped EXE
PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
C:\Users\Admin\AppData\Local\Temp\59A6.exe
MD5
501253915a1c1931fa88c43672ff0eaf

SHA1
3f29f95da864dec04f131c12b160ffeef080d190

SHA256
daf9419df6bce826aed80fe196fc6940d40d9cc3afcbb8eda6a5da4de8ea91d8

SHA512
f250b1484ae63d8154b93fc7340184020c7cf5c8972090557ecc2a5193188dcdad7a39fbdc70a25a17d9cfa5bf427d0c43808f6724399041106cf26f1d09eaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\70BF.exe
MD5
501253915a1c1931fa88c43672ff0eaf

SHA1
3f29f95da864dec04f131c12b160ffeef080d190

SHA256
daf9419df6bce826aed80fe196fc6940d40d9cc3afcbb8eda6a5da4de8ea91d8

SHA512
f250b1484ae63d8154b93fc7340184020c7cf5c8972090557ecc2a5193188dcdad7a39fbdc70a25a17d9cfa5bf427d0c43808f6724399041106cf26f1d09eaeb

Download Submit
\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
\Users\Admin\AppData\Local\Temp\38CC.exe
MD5
4b71805d51193b0dbe39321475ba41ed

SHA1
2c69d33ee6cad5557f088f205f7c031b5d7d003c

SHA256
a98112f55dfd1fe971be934510d681e30fad6bc0edd9b4ba5c888f0080a5ed68

SHA512
9f882d0a3117c9b530bdcea67b36601a26024cfa0d505cfa0e06c4a2b675751ad453f220329b1cc8171fedfb576d73d58d8e13e726af08344307a257d078c608

Download Submit
memory/1100-69-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1100-70-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1144-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1144-55-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/1144-54-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1144-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1368-58-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download
memory/1380-68-0x0000000000100000-0x000000000010B000-memory.dmp

Filesize
44KB

Download
memory/1484-78-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1484-71-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1560-62-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1560-63-0x0000000002090000-0x000000000217B000-memory.dmp

Filesize
940KB

Download
memory/1560-64-0x0000000002180000-0x00000000023C9000-memory.dmp

Filesize
2.3MB

Download
memory/1560-65-0x0000000000400000-0x0000000000655000-memory.dmp

Filesize
2.3MB

Download
memory/1560-66-0x000000000060A000-0x0000000000611000-memory.dmp

Filesize
28KB

Download