icedid | 0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7

General

Target

J5V5DR.dll
Size

702KB
MD5

9b692f43d575acb739decfc809db7f2e
SHA1

bc42c60590cb908e765e2d97e8b3a92b4616cd30
SHA256

0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7
SHA512

f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473

Score

10^/10

icedid 109932505 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

109932505

C2

ilekvoyn.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2216 vlc.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

regsvr32.exepowershell.exe

pid process

3144 regsvr32.exe
3144 regsvr32.exe
2616 powershell.exe
2616 powershell.exe
2616 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2216 vlc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2616 powershell.exe

pid	process
2216	vlc.exe

pid	process
2216	vlc.exe

description	pid	process
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

regsvr32.exevlc.exe

pid	process
3144	regsvr32.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

vlc.exe

pid process

2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
2216 vlc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vlc.exeWINWORD.EXEWINWORD.EXE

pid process

2216 vlc.exe
1832 WINWORD.EXE
1420 WINWORD.EXE

pid	process
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe
2216	vlc.exe

pid	process
2216	vlc.exe
1832	WINWORD.EXE
1420	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 2616 wrote to memory of 424	2616	powershell.exe	cmd.exe
PID 2616 wrote to memory of 424	2616	powershell.exe	cmd.exe
PID 424 wrote to memory of 1136	424	cmd.exe	cmd.exe
PID 424 wrote to memory of 1136	424	cmd.exe	cmd.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\J5V5DR.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\system32\cmd.exe
cmd
3⤵
PID:1136

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointSuspend.wma"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointSuspend.wma"
1⤵
PID:3172

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ClearRevoke.mpa"
1⤵
PID:316

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\RepairGet.dot"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\RepairGet.dot"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
c69bffad12270d3d724997e3c49db5c6

SHA1
55e6e5b8f3d1e8431786267e3972ac5c48c8fd40

SHA256
146a81f5128d09a255e1d6fb00ee67c6e29358cda095da2e0c5d7d1b54c10346

SHA512
ea6410688a9f21e4f7de06ca8b046799a6fc20a72b9f232fb403f25dcde96b0600235bd0de689e40b564b5e80b4a10e3fecf6711b8629d155d005bed6b12b1fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
84eb40d9a3f68b7b40c520c1e38eb0d5

SHA1
836aecbb3ca4882cad9dfc405ce4b2086cf237a6

SHA256
c4e0e0c5a7ad2b2fcf390cbe443c1b6a6ea9a0a4a27bf5aac16e43e165910bf6

SHA512
d503bbefb970eecddb78bc53198c56d50711ae31ef4bb2e71c616228bf05bb6f1fddb449cad35c79cca83da1d154c1aba2b833f80cd56b2c495732116fdf4e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
306KB

MD5
299cf5ea41d183f6963a6c552c663fd9

SHA1
feffbb799532a9ee58e26a2943740ebaef610639

SHA256
019bd59bd49dcff430ab72c68525bd43b3c9eb286e20737220b1ac884937c2dd

SHA512
1b882bcb4151b5c9cbbfdbd55374b998b41a3e8911b9cb8ad861608d3f7c5956dcfb866858b9b11af84e0698e2b2ba442687ad76a5f435a15d83c190b636f23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
8KB

MD5
0086a8c5602f9aa78780851552dfb021

SHA1
722a2a737e44f174ad46f444bb6e19ee04cd211d

SHA256
e54155ea49ea91a63d5311b77d9afb578b88a1b3e0aa3c4cc83dc10f8aefc8d8

SHA512
ffb314c42057a575ed37cbdf566255e7172c7a42e30194e5d90bd684977ccea3ce37aa95e4a75ea17d768e06beeb04f56b3490ad69d27cebee778215d7e41b23

Download Submit
memory/424-192-0x0000000000000000-mapping.dmp

Download
memory/1136-193-0x0000000000000000-mapping.dmp

Download
memory/1420-195-0x00007FFE03070000-0x00007FFE03080000-memory.dmp

Filesize
64KB

Download
memory/1420-197-0x00007FFE03070000-0x00007FFE03080000-memory.dmp

Filesize
64KB

Download
memory/1420-196-0x00007FFE03070000-0x00007FFE03080000-memory.dmp

Filesize
64KB

Download
memory/1420-194-0x00007FFE03070000-0x00007FFE03080000-memory.dmp

Filesize
64KB

Download
memory/1420-206-0x00007FFDFF7B0000-0x00007FFDFF7C0000-memory.dmp

Filesize
64KB

Download
memory/1832-208-0x00007FFDFF7B0000-0x00007FFDFF7C0000-memory.dmp

Filesize
64KB

Download
memory/2616-156-0x00000217D5760000-0x00000217D57D6000-memory.dmp

Filesize
472KB

Download
memory/2616-145-0x00000217D5210000-0x00000217D524C000-memory.dmp

Filesize
240KB

Download
memory/2616-126-0x00000217D4F80000-0x00000217D4FA2000-memory.dmp

Filesize
136KB

Download
memory/3144-116-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing