icedid | 2bd43175f33d5e03ae53c00541a357c3578a158f56d8b20b9099a45ccebc801a

General

Target

wild_will.msi
Size

720KB
MD5

12fef89480f3c38d0949f7fd9458856d
SHA1

8ed8d7bf9c6ffc2934e5c9773692ded50f87ceec
SHA256

2bd43175f33d5e03ae53c00541a357c3578a158f56d8b20b9099a45ccebc801a
SHA512

0b4e9035905c9da6e7b0d8e0eeda3f6e7b8522135aec15eea14b85bb0966b5058f3443aa054983f00918b29fd3e699efca3a49030ee195c7b3f09d6c667e2a2f
SSDEEP

12288:pwHL0D7vkCPumy9chfA+t78B0igC+/NHB01SlF1:2HL0f/zyt+x8BtZKB6SD

Score

10^/10

icedid 787509923 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

787509923

C2

kamintrewftor.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

51 1092 rundll32.exe

flow	pid	process
51	1092	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

2932 MsiExec.exe
5096 rundll32.exe
1092 rundll32.exe

pid	process
2932	MsiExec.exe
5096	rundll32.exe
1092	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e5834d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3592.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3592.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3592.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3592.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DEF.tmp	msiexec.exe
File created	C:\Windows\Installer\e5834d8.msi	msiexec.exe
File created	C:\Windows\Installer\e5834d6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3592.tmp-\test.cs.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

1092 rundll32.exe
1092 rundll32.exe
1092 rundll32.exe
1092 rundll32.exe
2624 msiexec.exe
2624 msiexec.exe
1092 rundll32.exe
1092 rundll32.exe

pid	process
1092	rundll32.exe
1092	rundll32.exe
1092	rundll32.exe
1092	rundll32.exe
2624	msiexec.exe
2624	msiexec.exe
1092	rundll32.exe
1092	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4976	msiexec.exe
Token: SeSecurityPrivilege	2624	msiexec.exe
Token: SeCreateTokenPrivilege	4976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4976	msiexec.exe
Token: SeLockMemoryPrivilege	4976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4976	msiexec.exe
Token: SeMachineAccountPrivilege	4976	msiexec.exe
Token: SeTcbPrivilege	4976	msiexec.exe
Token: SeSecurityPrivilege	4976	msiexec.exe
Token: SeTakeOwnershipPrivilege	4976	msiexec.exe
Token: SeLoadDriverPrivilege	4976	msiexec.exe
Token: SeSystemProfilePrivilege	4976	msiexec.exe
Token: SeSystemtimePrivilege	4976	msiexec.exe
Token: SeProfSingleProcessPrivilege	4976	msiexec.exe
Token: SeIncBasePriorityPrivilege	4976	msiexec.exe
Token: SeCreatePagefilePrivilege	4976	msiexec.exe
Token: SeCreatePermanentPrivilege	4976	msiexec.exe
Token: SeBackupPrivilege	4976	msiexec.exe
Token: SeRestorePrivilege	4976	msiexec.exe
Token: SeShutdownPrivilege	4976	msiexec.exe
Token: SeDebugPrivilege	4976	msiexec.exe
Token: SeAuditPrivilege	4976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4976	msiexec.exe
Token: SeChangeNotifyPrivilege	4976	msiexec.exe
Token: SeRemoteShutdownPrivilege	4976	msiexec.exe
Token: SeUndockPrivilege	4976	msiexec.exe
Token: SeSyncAgentPrivilege	4976	msiexec.exe
Token: SeEnableDelegationPrivilege	4976	msiexec.exe
Token: SeManageVolumePrivilege	4976	msiexec.exe
Token: SeImpersonatePrivilege	4976	msiexec.exe
Token: SeCreateGlobalPrivilege	4976	msiexec.exe
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe
Token: SeBackupPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe
Token: SeTakeOwnershipPrivilege	2624	msiexec.exe
Token: SeRestorePrivilege	2624	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4976 msiexec.exe
4976 msiexec.exe

pid	process
4976	msiexec.exe
4976	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 2624 wrote to memory of 4712	2624	msiexec.exe	srtasks.exe
PID 2624 wrote to memory of 4712	2624	msiexec.exe	srtasks.exe
PID 2624 wrote to memory of 2932	2624	msiexec.exe	MsiExec.exe
PID 2624 wrote to memory of 2932	2624	msiexec.exe	MsiExec.exe
PID 2932 wrote to memory of 5096	2932	MsiExec.exe	rundll32.exe
PID 2932 wrote to memory of 5096	2932	MsiExec.exe	rundll32.exe
PID 5096 wrote to memory of 1092	5096	rundll32.exe	rundll32.exe
PID 5096 wrote to memory of 1092	5096	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wild_will.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4712

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 65D0D85A9C358FA53358A42734B050BF
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI3592.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240662062 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp388F.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp388F.dll
Filesize
269KB

MD5
c9c9eceda71bf20d0004e8b7c6396d0f

SHA1
1f72cabb64e1d9f02617d38ac00628304b4b6186

SHA256
637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac

SHA512
117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp388F.dll
Filesize
269KB

MD5
c9c9eceda71bf20d0004e8b7c6396d0f

SHA1
1f72cabb64e1d9f02617d38ac00628304b4b6186

SHA256
637cd9ccf15d57a50847fe566265575bc06e146e45673a0f47b96f9c12d212ac

SHA512
117ea65a2eef8b9a3a5d3e0f9d62c77d58df12d3bd8e6a7090c034536e8969b5b05b1a58b7e0b4a5444ffb585c3facf7d001c434a9c34db81d6c9dfc452e3870

Download Submit
C:\Windows\Installer\MSI3592.tmp
Filesize
413KB

MD5
cb3d847e4014f2681f11aa55d2eafb37

SHA1
27cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e

SHA256
f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70

SHA512
dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0

Download Submit
C:\Windows\Installer\MSI3592.tmp
Filesize
413KB

MD5
cb3d847e4014f2681f11aa55d2eafb37

SHA1
27cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e

SHA256
f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70

SHA512
dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0

Download Submit
C:\Windows\Installer\MSI3592.tmp
Filesize
413KB

MD5
cb3d847e4014f2681f11aa55d2eafb37

SHA1
27cf8bade4e787c4a3f51c9fd36f8c9f04c0b85e

SHA256
f9d0d10de2d66ff63916772e8d2b757f1502c823a3c39202709ffbb9a4725b70

SHA512
dc6b8167363a7f3cac3c37bd4db8b5d0e3ec4c97723874dd5073adf2de3c03665129ba7623aee7ec1d20beef54eba85d303f2cedecb86878b77ebe7ab18fbed0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
60ebbd34e80216aa818d122e5ddac7cc

SHA1
c3a7766c3dfb26ffbcb17a904074bb2801764b42

SHA256
873a0c7f7abc54634d055668e698f20685fa82ec01ffd25881a0435849a6cce2

SHA512
d552e0b8602f7accaf2a1ffb1810847642a49d18a25461064b7e354eff5688ce8acc8115c3879e411f4f8dd6ecf9c57d2876ef6ec12c6a981d99266f183ca89c

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e130cffa-f28a-4bdc-9d36-b0d45a197dcb}_OnDiskSnapshotProp
Filesize
5KB

MD5
b4bd4d7f103f48bb956716c7bc1bef9c

SHA1
828bc9a663d4e8b2524d832462ceca06ca9af694

SHA256
bdd48661637f3a8fc5d0f9dceddc1799d3bf81903ed867ef0155d6658b76f0fe

SHA512
ff183eafd06449bded1525dc02ea7a56a9aabdd44caaa05472dd85171ed00942b3cf926d8f8e47f71afbc5476541f228c56b2a439bd81bfc2ef2c6f28f6e4d11

Download Submit
memory/1092-145-0x0000019BD5CB0000-0x0000019BD5CB9000-memory.dmp

Filesize
36KB

Download
memory/1092-142-0x0000000000000000-mapping.dmp

Download
memory/2932-133-0x0000000000000000-mapping.dmp

Download
memory/4712-132-0x0000000000000000-mapping.dmp

Download
memory/5096-136-0x0000000000000000-mapping.dmp

Download
memory/5096-141-0x00007FFC657B0000-0x00007FFC66271000-memory.dmp

Filesize
10.8MB

Download
memory/5096-140-0x000001F8F85A0000-0x000001F8F8610000-memory.dmp

Filesize
448KB

Download
memory/5096-147-0x00007FFC657B0000-0x00007FFC66271000-memory.dmp

Filesize
10.8MB

Download
memory/5096-139-0x000001F8F84D0000-0x000001F8F84DA000-memory.dmp

Filesize
40KB

Download
memory/5096-138-0x000001F8F8500000-0x000001F8F852E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads