icedid | a4843e1bfd7169fd3ff3207a39603ad4308dedb39dbf25a168cab916515f5104

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Request-09-27-document-235.iso
Size

1.9MB
MD5

c7f65fb3d817ac077f6c75c852caeb05
SHA1

3632792b1e1643402fc88e76ed2c1734cc2b4d86
SHA256

a4843e1bfd7169fd3ff3207a39603ad4308dedb39dbf25a168cab916515f5104
SHA512

d700144a63d491ddf33d5419e2b1a321abc34264de80d3e5f0e5982fe25d39637bf4f2f63d463b30dedb2128550de5b525f1753113ea5d9498bd36f36378523b
SSDEEP

6144:JEF/cCDQ2eyT3Zw+p0Yyvq1i6qz/QeQqHDT4xE:IcmQ2es3Zw+pRcq1i6qhjS

Score

10^/10

icedid 973312338 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

973312338

tezycronam.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

38 1560 rundll32.exe
40 1560 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1560 rundll32.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\E: cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1560 rundll32.exe
1560 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 4976 cmd.exe
Token: SeManageVolumePrivilege 4976 cmd.exe

flow	pid	process
38	1560	rundll32.exe
40	1560	rundll32.exe

pid	process
1560	rundll32.exe

description	ioc	process
File opened (read-only)	\??\E:	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

pid	process
1560	rundll32.exe
1560	rundll32.exe

description	pid	process
Token: SeManageVolumePrivilege	4976	cmd.exe
Token: SeManageVolumePrivilege	4976	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 432 wrote to memory of 1360	432	cmd.exe	xcopy.exe
PID 432 wrote to memory of 1360	432	cmd.exe	xcopy.exe
PID 432 wrote to memory of 1560	432	cmd.exe	rundll32.exe
PID 432 wrote to memory of 1560	432	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Request-09-27-document-235.iso
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\lab\highway.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h lab\counterstriking.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:1360

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\counterstriking.dat,#1
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\counterstriking.dat
Filesize
476KB

MD5
b08263e98ccb3df9a0c3fe0c73dc182d

SHA1
5ec73ca508dbb7cb78db7927c1d1cf9449527c2e

SHA256
71152944b4f8c0e57d77f75b509d46fe9ca20658d437c6983bbf766233b74cbf

SHA512
c7978d374ad9c21769355e06ee89c1b46486330357a155fe8ce13ed65741e41dc9a80568cdda57587b0c8e829bc00140e82cc4c3be8eb3304aa8c0c7f1de9e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\counterstriking.dat
Filesize
476KB

MD5
b08263e98ccb3df9a0c3fe0c73dc182d

SHA1
5ec73ca508dbb7cb78db7927c1d1cf9449527c2e

SHA256
71152944b4f8c0e57d77f75b509d46fe9ca20658d437c6983bbf766233b74cbf

SHA512
c7978d374ad9c21769355e06ee89c1b46486330357a155fe8ce13ed65741e41dc9a80568cdda57587b0c8e829bc00140e82cc4c3be8eb3304aa8c0c7f1de9e01

Download Submit
memory/1360-132-0x0000000000000000-mapping.dmp

Download
memory/1560-133-0x0000000000000000-mapping.dmp

Download
memory/1560-136-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1560-142-0x0000016219AC0000-0x0000016219AC6000-memory.dmp

Filesize
24KB

Download