icedid | ccd7754174dfdc55c49b61cbba9ed782d43b1f5fd9c5611251c7526bf83f058e

General

Target

b4a0138a637e4f800e62d91923dc7f77809ab6bf8f27d621502cbe82b06db485.dll
Size

13KB
MD5

e67a59efdb77392a37fdfc2c37db1391
SHA1

5599ea9e45eaeae3985bda51e35befc6c78cc098
SHA256

b4a0138a637e4f800e62d91923dc7f77809ab6bf8f27d621502cbe82b06db485
SHA512

e96cef3386767f2a00dd066f7646487a69be87388c7a1e468bb05b45ecd9172031ff87f9286545ae2bab70818e33ead255ebf63f37af97d9370320791519f961

Score

10^/10

icedid 168463318 banker collection core_payload suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

168463318

rsa_pubkey.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2812 regsvr32.exe

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

4236 net.exe
4084 net.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4536 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3272 systeminfo.exe

pid	process
4236	net.exe
4084	net.exe

pid	process
4536	ipconfig.exe

pid	process
3272	systeminfo.exe

Modifies registry class 2 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{4FBB62C9-7304-16E2-4C73-BD79D9268905}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{4FBB62C9-7304-16E2-4C73-BD79D9268905}\ = 6999ba44001dac8c46205674e115fb5bfaeca1bc168852ae76141aeb6f96436b0bf5d6a703522c8cf9af32c264f23fc7f406f7e87f638668eee643add8464bbd8c6b47267ee5dce68801c6c85a9d4db1e4c5c6cbdfb01d648e8cea9165d98bfd5d9cad169855e5c21f612a1669e02819cd21fcd95de3da3c2988a8d8d189ad01cf1cfc6823068d3a3dc601e679b08eaf151943bb93ec8812f7f7294a32c8602a43dd512576cb84a99bb3801b6c2b88f4ff71fd136631d4470552d8983ec9924f2073df02782ed001fc7ba85377a997e716e5733508a56260ac04fc696b128cff6ca09fad9216f3ef632351c67df087214b0d3bda9385e0718885	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe
2812	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe
Token: 36	4548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe
Token: 36	4548	WMIC.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

regsvr32.execmd.exenet.exe

description	pid	process	target process
PID 2812 wrote to memory of 4968	2812	regsvr32.exe	cmd.exe
PID 2812 wrote to memory of 4968	2812	regsvr32.exe	cmd.exe
PID 4968 wrote to memory of 4188	4968	cmd.exe	chcp.com
PID 4968 wrote to memory of 4188	4968	cmd.exe	chcp.com
PID 2812 wrote to memory of 4548	2812	regsvr32.exe	WMIC.exe
PID 2812 wrote to memory of 4548	2812	regsvr32.exe	WMIC.exe
PID 2812 wrote to memory of 4536	2812	regsvr32.exe	ipconfig.exe
PID 2812 wrote to memory of 4536	2812	regsvr32.exe	ipconfig.exe
PID 2812 wrote to memory of 3272	2812	regsvr32.exe	systeminfo.exe
PID 2812 wrote to memory of 3272	2812	regsvr32.exe	systeminfo.exe
PID 2812 wrote to memory of 4980	2812	regsvr32.exe	net.exe
PID 2812 wrote to memory of 4980	2812	regsvr32.exe	net.exe
PID 4980 wrote to memory of 1756	4980	net.exe	net1.exe
PID 4980 wrote to memory of 1756	4980	net.exe	net1.exe
PID 2812 wrote to memory of 2772	2812	regsvr32.exe	nltest.exe
PID 2812 wrote to memory of 2772	2812	regsvr32.exe	nltest.exe
PID 2812 wrote to memory of 4272	2812	regsvr32.exe	nltest.exe
PID 2812 wrote to memory of 4272	2812	regsvr32.exe	nltest.exe
PID 2812 wrote to memory of 4236	2812	regsvr32.exe	net.exe
PID 2812 wrote to memory of 4236	2812	regsvr32.exe	net.exe
PID 2812 wrote to memory of 4084	2812	regsvr32.exe	net.exe
PID 2812 wrote to memory of 4084	2812	regsvr32.exe	net.exe

outlook_office_path 1 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe

outlook_win_path 1 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b4a0138a637e4f800e62d91923dc7f77809ab6bf8f27d621502cbe82b06db485.dll
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2812

C:\Windows\system32\cmd.exe
cmd.exe /c chcp >&2
2⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\chcp.com
chcp
3⤵
PID:4188

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:4536

C:\Windows\system32\systeminfo.exe
systeminfo
2⤵
- Gathers system information
PID:3272

C:\Windows\system32\net.exe
net config workstation
2⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
3⤵
PID:1756

C:\Windows\system32\nltest.exe
nltest /domain_trusts
2⤵
PID:2772

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
2⤵
PID:4272

C:\Windows\system32\net.exe
net view /all /domain
2⤵
- Discovers systems in the same network
PID:4236

C:\Windows\system32\net.exe
net view /all
2⤵
- Discovers systems in the same network
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqlite64.dll
Filesize
1.8MB

MD5
26d773a69f6fad3200d49a7aaa77752b

SHA1
3970ffe8aefe0c30daaec65b85fb103c0fc0f2a7

SHA256
fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5

SHA512
0041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1756-141-0x0000000000000000-mapping.dmp

Download
memory/2772-143-0x0000000000000000-mapping.dmp

Download
memory/2812-130-0x00000000035E0000-0x0000000003639000-memory.dmp

Filesize
356KB

Download
memory/3272-139-0x0000000000000000-mapping.dmp

Download
memory/4084-147-0x0000000000000000-mapping.dmp

Download
memory/4188-136-0x0000000000000000-mapping.dmp

Download
memory/4236-145-0x0000000000000000-mapping.dmp

Download
memory/4272-144-0x0000000000000000-mapping.dmp

Download
memory/4536-138-0x0000000000000000-mapping.dmp

Download
memory/4548-137-0x0000000000000000-mapping.dmp

Download
memory/4968-135-0x0000000000000000-mapping.dmp

Download
memory/4980-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads