icedid | 773ffc701c7f24953e6126c129d29b1548aa92568087bcf3232bd0c8b838f8fb

General

Target

document_133_invoice#PDF.msi
Size

660KB
MD5

76bf2b13ab0bdb12c1b8fc474fb9984e
SHA1

8c90ecad73788a40c93ca6a6411c79c581216cee
SHA256

070f9169977c766c426e9c1a8161a40f54a068ef7cc1c3090d226e87dc890095
SHA512

8945defdd78c03c0e62ac636657835e70210afba5ade7a8f9eab8c6725371b30a9ad26820ed57a0d7fe2b5af6bf2ab18a06ed6adb35c6203ae0dfd1057fd01be
SSDEEP

12288:nwHL0D7CkCPumy9chfA+tO5O//M777777LwmqLuSgF3u:wHL0S/zyt+M5OX/qtF3u

Score

10^/10

icedid 764376559 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

764376559

C2

saintrefunda.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

16 428 rundll32.exe
42 428 rundll32.exe
44 428 rundll32.exe

flow	pid	process
16	428	rundll32.exe
42	428	rundll32.exe
44	428	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

440 MsiExec.exe
5016 rundll32.exe
428 rundll32.exe

pid	process
440	MsiExec.exe
5016	rundll32.exe
428	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13F5.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI13F5.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI13F5.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1ACC.tmp	msiexec.exe
File created	C:\Windows\Installer\e571369.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571369.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13F5.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File created	C:\Windows\Installer\e57136b.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

3964 msiexec.exe
3964 msiexec.exe
428 rundll32.exe
428 rundll32.exe

pid	process
3964	msiexec.exe
3964	msiexec.exe
428	rundll32.exe
428	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3376	msiexec.exe
Token: SeSecurityPrivilege	3964	msiexec.exe
Token: SeCreateTokenPrivilege	3376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3376	msiexec.exe
Token: SeLockMemoryPrivilege	3376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3376	msiexec.exe
Token: SeMachineAccountPrivilege	3376	msiexec.exe
Token: SeTcbPrivilege	3376	msiexec.exe
Token: SeSecurityPrivilege	3376	msiexec.exe
Token: SeTakeOwnershipPrivilege	3376	msiexec.exe
Token: SeLoadDriverPrivilege	3376	msiexec.exe
Token: SeSystemProfilePrivilege	3376	msiexec.exe
Token: SeSystemtimePrivilege	3376	msiexec.exe
Token: SeProfSingleProcessPrivilege	3376	msiexec.exe
Token: SeIncBasePriorityPrivilege	3376	msiexec.exe
Token: SeCreatePagefilePrivilege	3376	msiexec.exe
Token: SeCreatePermanentPrivilege	3376	msiexec.exe
Token: SeBackupPrivilege	3376	msiexec.exe
Token: SeRestorePrivilege	3376	msiexec.exe
Token: SeShutdownPrivilege	3376	msiexec.exe
Token: SeDebugPrivilege	3376	msiexec.exe
Token: SeAuditPrivilege	3376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3376	msiexec.exe
Token: SeChangeNotifyPrivilege	3376	msiexec.exe
Token: SeRemoteShutdownPrivilege	3376	msiexec.exe
Token: SeUndockPrivilege	3376	msiexec.exe
Token: SeSyncAgentPrivilege	3376	msiexec.exe
Token: SeEnableDelegationPrivilege	3376	msiexec.exe
Token: SeManageVolumePrivilege	3376	msiexec.exe
Token: SeImpersonatePrivilege	3376	msiexec.exe
Token: SeCreateGlobalPrivilege	3376	msiexec.exe
Token: SeBackupPrivilege	1032	vssvc.exe
Token: SeRestorePrivilege	1032	vssvc.exe
Token: SeAuditPrivilege	1032	vssvc.exe
Token: SeBackupPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe
Token: SeTakeOwnershipPrivilege	3964	msiexec.exe
Token: SeRestorePrivilege	3964	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3376 msiexec.exe
3376 msiexec.exe

pid	process
3376	msiexec.exe
3376	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 3964 wrote to memory of 2036	3964	msiexec.exe	srtasks.exe
PID 3964 wrote to memory of 2036	3964	msiexec.exe	srtasks.exe
PID 3964 wrote to memory of 440	3964	msiexec.exe	MsiExec.exe
PID 3964 wrote to memory of 440	3964	msiexec.exe	MsiExec.exe
PID 440 wrote to memory of 5016	440	MsiExec.exe	rundll32.exe
PID 440 wrote to memory of 5016	440	MsiExec.exe	rundll32.exe
PID 5016 wrote to memory of 428	5016	rundll32.exe	rundll32.exe
PID 5016 wrote to memory of 428	5016	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\document_133_invoice#PDF.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2036

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 6B754554FB7A452E1C892055FEDEA6F4
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI13F5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240587921 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1731.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1731.dll
Filesize
209KB

MD5
9cdcf94f409858d32e40e9aef7d271da

SHA1
c6d3606543c811e6d358ae4a922b6b33c2166a65

SHA256
9a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c

SHA512
94e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1731.dll
Filesize
209KB

MD5
9cdcf94f409858d32e40e9aef7d271da

SHA1
c6d3606543c811e6d358ae4a922b6b33c2166a65

SHA256
9a9a70427875d55a1ee596b0e7066021d2bbf51b47b2421de8bb098ac47e473c

SHA512
94e09710d881a6e7a143eab3c6cd2e04c6fe79cfa5980ea514c5a4130a7f160f6452b71bc4b58ceffc67c3d92ee20e72bb76745b551caf41d440ce91dc3e78f0

Download Submit
C:\Windows\Installer\MSI13F5.tmp
Filesize
413KB

MD5
36d4ec822441ec5f0e0b4c10e15efb7e

SHA1
da738e9e0b85ac72662c5cd3f08ce75f12cb0abb

SHA256
a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564

SHA512
64c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0

Download Submit
C:\Windows\Installer\MSI13F5.tmp
Filesize
413KB

MD5
36d4ec822441ec5f0e0b4c10e15efb7e

SHA1
da738e9e0b85ac72662c5cd3f08ce75f12cb0abb

SHA256
a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564

SHA512
64c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0

Download Submit
C:\Windows\Installer\MSI13F5.tmp
Filesize
413KB

MD5
36d4ec822441ec5f0e0b4c10e15efb7e

SHA1
da738e9e0b85ac72662c5cd3f08ce75f12cb0abb

SHA256
a928e3d91e8fbff0a66c704ded9c8b667bd37e190cd8496e72dfc7bd1635a564

SHA512
64c7146993c09d486480767cc9db516aba9d7b27898d8c94c6ea82de485445527f9743319c8b33cdd4dc4877a852007e66c6a081f28204566c9a7865175646a0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
11.8MB

MD5
7da2b4f97668c3071344c93ce9980457

SHA1
77fc0d366ddae2da16cec6b235075af7bf063cbc

SHA256
4649e1c66f9a041938a95b9882d9dcf38c7ef5915c38283ae8162be1194dde49

SHA512
61826469e9cc457612db945296b6a1212c946345e197ce46ac347c497f722de232bf1748d0354c0cc0aab5fb2567d3409cd43c36659f44c25e99ec5604196493

Download Submit
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5f6642db-c50e-485c-9329-120b6c645b04}_OnDiskSnapshotProp
Filesize
5KB

MD5
bcdcf4622d1f9f825ec70585b6e0d78f

SHA1
d3e041d2b5597e260aff7554590080c4d9e614b2

SHA256
5dca71e2f8fbc2223cc5f53a9275c183ff7f34f9ddb37f86eda8820028373816

SHA512
af70c2ba2efb5f7a2b1b85541413263279cfd57533f3004c8304530659d2d1e87923fbc02b7c5e6422881b87929b70dce07e99609e5fc2d2a36deb090ab21e2c

Download Submit
memory/428-145-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/428-142-0x0000000000000000-mapping.dmp

Download
memory/440-133-0x0000000000000000-mapping.dmp

Download
memory/2036-132-0x0000000000000000-mapping.dmp

Download
memory/5016-136-0x0000000000000000-mapping.dmp

Download
memory/5016-141-0x00007FFCAA180000-0x00007FFCAAC41000-memory.dmp

Filesize
10.8MB

Download
memory/5016-140-0x000002C2A9A90000-0x000002C2A9B00000-memory.dmp

Filesize
448KB

Download
memory/5016-148-0x00007FFCAA180000-0x00007FFCAAC41000-memory.dmp

Filesize
10.8MB

Download
memory/5016-139-0x000002C28FB00000-0x000002C28FB0A000-memory.dmp

Filesize
40KB

Download
memory/5016-138-0x000002C291550000-0x000002C29157E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads