icedid | c942a533bd1c751d840bcad0fcb2a0a8ef986ce1baf95bd10ca6937fcb18ed5e

General

Target

INV871623.txt.lnk
Size

1KB
MD5

7c1073209e40cb0957e097eb86ae4d79
SHA1

fd8b3b87f44bfef8f5a7af23adf496b5494eaf01
SHA256

1202a0e6d4b0282bcade76291346b5b410f05e05c978c087147a4c2006d69b42
SHA512

ac6b78c0657388119e3c7d70c3b708ffbdc643965dcd9d11240b96110559b5e24409bc34921fa700bdeb39c16d37b40b6c1b83420f302137a46c84ca66e61406

Score

10^/10

icedid 1825398430 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

1825398430

C2

ciaontroni.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 4024 rundll32.exe

flow	pid	process
2	4024	rundll32.exe

Drops file in Windows directory 3 IoCs

Processes:

taskmgr.exeNOTEPAD.EXE

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	NOTEPAD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 34 IoCs

Processes:

NOTEPAD.EXEpowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3428 NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exerundll32.exetaskmgr.exe

pid	process
2416	powershell.exe
2416	powershell.exe
2416	powershell.exe
4024	rundll32.exe
4024	rundll32.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

NOTEPAD.EXEtaskmgr.exe

pid process

3428 NOTEPAD.EXE
4548 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	4548	taskmgr.exe
Token: SeSystemProfilePrivilege	4548	taskmgr.exe
Token: SeCreateGlobalPrivilege	4548	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NOTEPAD.EXEtaskmgr.exe

pid	process
3428	NOTEPAD.EXE
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe
4548	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NOTEPAD.EXE

pid process

3428 NOTEPAD.EXE
3428 NOTEPAD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1908 wrote to memory of 2416	1908	cmd.exe	powershell.exe
PID 1908 wrote to memory of 2416	1908	cmd.exe	powershell.exe
PID 2416 wrote to memory of 3428	2416	powershell.exe	NOTEPAD.EXE
PID 2416 wrote to memory of 3428	2416	powershell.exe	NOTEPAD.EXE
PID 2416 wrote to memory of 4024	2416	powershell.exe	rundll32.exe
PID 2416 wrote to memory of 4024	2416	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\INV871623.txt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file THjkgeCbhjm.ps1
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\notice.txt
3⤵
- Drops file in Windows directory
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" 768327532892733679.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-114-0x0000000000000000-mapping.dmp

Download
memory/2416-119-0x000001A4FB940000-0x000001A4FB962000-memory.dmp

Filesize
136KB

Download
memory/2416-127-0x000001A4FC630000-0x000001A4FC6A6000-memory.dmp

Filesize
472KB

Download
memory/3428-146-0x0000000000000000-mapping.dmp

Download
memory/4024-147-0x0000000000000000-mapping.dmp

Download
memory/4024-149-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads