icedid | 59ddf7fd2901ffddc12d730d41a59ef51a0cf834145bcf883d8c1106b6aad0c7

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

demand_letter.jpg.lnk
Size

1KB
MD5

d01dc2fbb602e1058ae56f07fe895513
SHA1

decf03519d25e17b858d398d299b082ecf7e1fd1
SHA256

1040fce86562017f6eea2e609d1e7a49e928d140ac0e3bb30fd290f2b29d117b
SHA512

da7e540394e342db69fefa0c84d55d20e96f4e1764bb32fd4f87bd332b22d6a8b8923453aad2ab1f478200797fbdc68b8eddb618a8e2bc8e813e9f6c1bf08365

Score

10^/10

icedid 3239568078 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

3239568078

carbrownleger.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

11 2296 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

688 powershell.exe
688 powershell.exe
2296 rundll32.exe
2296 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 688 powershell.exe

flow	pid	process
11	2296	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
688	powershell.exe
688	powershell.exe
2296	rundll32.exe
2296	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	688	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 4776 wrote to memory of 688	4776	cmd.exe	powershell.exe
PID 4776 wrote to memory of 688	4776	cmd.exe	powershell.exe
PID 688 wrote to memory of 2296	688	powershell.exe	rundll32.exe
PID 688 wrote to memory of 2296	688	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\demand_letter.jpg.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file vGhhsvfLkp.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" 878.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-130-0x0000000000000000-mapping.dmp

Download
memory/688-131-0x0000028AB0850000-0x0000028AB0872000-memory.dmp

Filesize
136KB

Download
memory/688-132-0x00007FFFFB5B0000-0x00007FFFFC071000-memory.dmp

Filesize
10.8MB

Download
memory/688-134-0x00007FFFFB5B0000-0x00007FFFFC071000-memory.dmp

Filesize
10.8MB

Download
memory/2296-133-0x0000000000000000-mapping.dmp

Download
memory/2296-135-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download