icedid | b53d396ac76c035173b98f3427eb3ee2841fb1bbec358e6bdabe844e052565ab

General

Target

Invoice_PDF#3323.iso
Size

1.0MB
MD5

9b5215624a292a67f7509361b5dda6cc
SHA1

36ff1eb10897ec793952ec048c66bf49405bf3b6
SHA256

04dfc89aacade90557c6006bc54fc9055c7e813f1b8d9f036b32f2cc2256e319
SHA512

22c6705da86e02e74e77a9685003513d1b9c77dfcaef050b29412e004c5415b369ee6066c8fe2bbb67c15f08728795fb011236972599ed83264b4c92f378ee57
SSDEEP

24576:0NSuK0NnWHpHpNHH2w2wywFHHyH5HGw9G:buKEWHpHpNHH2w2wywFHHyH5HGw9G

Score

10^/10

icedid 2399258081 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2399258081

C2

eysneolissionsm.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exerundll32.exe

flow	pid	process
4	1100	rundll32.exe
5	756	rundll32.exe
6	1100	rundll32.exe
7	756	rundll32.exe
8	1100	rundll32.exe
9	756	rundll32.exe
10	1100	rundll32.exe
11	756	rundll32.exe
12	1100	rundll32.exe
13	756	rundll32.exe
15	1100	rundll32.exe
16	756	rundll32.exe
17	1100	rundll32.exe
18	756	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1100 rundll32.exe
1100 rundll32.exe
756 rundll32.exe
756 rundll32.exe

pid	process
1100	rundll32.exe
1100	rundll32.exe
756	rundll32.exe
756	rundll32.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

7zG.exe7zG.exeAUDIODG.EXE7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	1984	7zG.exe
Token: 35	1984	7zG.exe
Token: SeSecurityPrivilege	1984	7zG.exe
Token: SeSecurityPrivilege	1984	7zG.exe
Token: SeRestorePrivilege	1800	7zG.exe
Token: 35	1800	7zG.exe
Token: SeSecurityPrivilege	1800	7zG.exe
Token: SeSecurityPrivilege	1800	7zG.exe
Token: 33	896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	896	AUDIODG.EXE
Token: 33	896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	896	AUDIODG.EXE
Token: SeRestorePrivilege	1772	7zG.exe
Token: 35	1772	7zG.exe
Token: SeSecurityPrivilege	1772	7zG.exe
Token: SeSecurityPrivilege	1772	7zG.exe
Token: SeRestorePrivilege	1576	7zG.exe
Token: 35	1576	7zG.exe
Token: SeSecurityPrivilege	1576	7zG.exe
Token: SeSecurityPrivilege	1576	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zG.exe7zG.exe7zG.exe7zG.exe

pid process

1984 7zG.exe
1800 7zG.exe
1772 7zG.exe
1576 7zG.exe

pid	process
1984	7zG.exe
1800	7zG.exe
1772	7zG.exe
1576	7zG.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 1332	1964	cmd.exe	isoburn.exe
PID 1964 wrote to memory of 1332	1964	cmd.exe	isoburn.exe
PID 1964 wrote to memory of 1332	1964	cmd.exe	isoburn.exe
PID 1824 wrote to memory of 964	1824	WScript.exe	cmd.exe
PID 1824 wrote to memory of 964	1824	WScript.exe	cmd.exe
PID 1824 wrote to memory of 964	1824	WScript.exe	cmd.exe
PID 964 wrote to memory of 1100	964	cmd.exe	rundll32.exe
PID 964 wrote to memory of 1100	964	cmd.exe	rundll32.exe
PID 964 wrote to memory of 1100	964	cmd.exe	rundll32.exe
PID 1916 wrote to memory of 776	1916	WScript.exe	cmd.exe
PID 1916 wrote to memory of 776	1916	WScript.exe	cmd.exe
PID 1916 wrote to memory of 776	1916	WScript.exe	cmd.exe
PID 776 wrote to memory of 756	776	cmd.exe	rundll32.exe
PID 776 wrote to memory of 756	776	cmd.exe	rundll32.exe
PID 776 wrote to memory of 756	776	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323.iso
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323.iso"
2⤵
PID:1332

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1016

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:1304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323\" -ad -an -ai#7zMap5429:112:7zEvent29674
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1984

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323\" -ad -an -ai#7zMap20945:112:7zEvent8065
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1800

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x240
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323\" -spe -an -ai#7zMap8893:112:7zEvent21838
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1772

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap5751:90:7zEvent11836
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\unamortized\unquestioninglySheltered.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\cmd.exe
cmd /c ""C:\unamortized\suspiciousEns.cmd" DLL"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\rundll32.exe
runDLL32 unamortized\greenflies.db,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\unamortized\unquestioninglySheltered.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\cmd.exe
cmd /c ""C:\unamortized\suspiciousEns.cmd" DLL"
2⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\rundll32.exe
runDLL32 unamortized\greenflies.db,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Windows\system32\cmd.exe
cmd /c ""C:\unamortized\suspiciousEns.cmd" "
1⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-94-0x0000000000000000-mapping.dmp

Download
memory/776-93-0x0000000000000000-mapping.dmp

Download
memory/964-90-0x0000000000000000-mapping.dmp

Download
memory/1100-91-0x0000000000000000-mapping.dmp

Download
memory/1100-95-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1100-101-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/1332-76-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads