icedid | f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678

General

Target

f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678.msi
Size

720KB
MD5

123e08900a96c6f2f8edf6f7c8658436
SHA1

da2ab9ffa5011065e3caf4a6ee539790e514ab2f
SHA256

f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678
SHA512

9c43da596de9b358798adb049e87c02ff13641d4b6f5449d1f9f94b50c798f45a30cc4ef7086102deb22027b4c6366b888981ac68c3d998685332c2b021ae9f8
SSDEEP

12288:mwHL0D7BkCPumy9chfA+tk8B0igC+/NHBQ1SdwS:PHL0R/zyt++8BtZKBmS+

Score

10^/10

icedid 787509923 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

787509923

C2

kamintrewftor.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

21 1872 rundll32.exe
71 1872 rundll32.exe

flow	pid	process
21	1872	rundll32.exe
71	1872	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

4604 MsiExec.exe
1948 rundll32.exe
1872 rundll32.exe

pid	process
4604	MsiExec.exe
1948	rundll32.exe
1872	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File created	C:\Windows\Installer\e572afa.msi	msiexec.exe
File created	C:\Windows\Installer\e572af8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C50.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2C50.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\e572af8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C50.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2C50.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3365.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

1872 rundll32.exe
1872 rundll32.exe
4716 msiexec.exe
4716 msiexec.exe
1872 rundll32.exe
1872 rundll32.exe
1872 rundll32.exe
1872 rundll32.exe

pid	process
1872	rundll32.exe
1872	rundll32.exe
4716	msiexec.exe
4716	msiexec.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4648	msiexec.exe
Token: SeSecurityPrivilege	4716	msiexec.exe
Token: SeCreateTokenPrivilege	4648	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4648	msiexec.exe
Token: SeLockMemoryPrivilege	4648	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4648	msiexec.exe
Token: SeMachineAccountPrivilege	4648	msiexec.exe
Token: SeTcbPrivilege	4648	msiexec.exe
Token: SeSecurityPrivilege	4648	msiexec.exe
Token: SeTakeOwnershipPrivilege	4648	msiexec.exe
Token: SeLoadDriverPrivilege	4648	msiexec.exe
Token: SeSystemProfilePrivilege	4648	msiexec.exe
Token: SeSystemtimePrivilege	4648	msiexec.exe
Token: SeProfSingleProcessPrivilege	4648	msiexec.exe
Token: SeIncBasePriorityPrivilege	4648	msiexec.exe
Token: SeCreatePagefilePrivilege	4648	msiexec.exe
Token: SeCreatePermanentPrivilege	4648	msiexec.exe
Token: SeBackupPrivilege	4648	msiexec.exe
Token: SeRestorePrivilege	4648	msiexec.exe
Token: SeShutdownPrivilege	4648	msiexec.exe
Token: SeDebugPrivilege	4648	msiexec.exe
Token: SeAuditPrivilege	4648	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4648	msiexec.exe
Token: SeChangeNotifyPrivilege	4648	msiexec.exe
Token: SeRemoteShutdownPrivilege	4648	msiexec.exe
Token: SeUndockPrivilege	4648	msiexec.exe
Token: SeSyncAgentPrivilege	4648	msiexec.exe
Token: SeEnableDelegationPrivilege	4648	msiexec.exe
Token: SeManageVolumePrivilege	4648	msiexec.exe
Token: SeImpersonatePrivilege	4648	msiexec.exe
Token: SeCreateGlobalPrivilege	4648	msiexec.exe
Token: SeBackupPrivilege	4208	vssvc.exe
Token: SeRestorePrivilege	4208	vssvc.exe
Token: SeAuditPrivilege	4208	vssvc.exe
Token: SeBackupPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4648 msiexec.exe
4648 msiexec.exe

pid	process
4648	msiexec.exe
4648	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4716 wrote to memory of 1580	4716	msiexec.exe	srtasks.exe
PID 4716 wrote to memory of 1580	4716	msiexec.exe	srtasks.exe
PID 4716 wrote to memory of 4604	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 4604	4716	msiexec.exe	MsiExec.exe
PID 4604 wrote to memory of 1948	4604	MsiExec.exe	rundll32.exe
PID 4604 wrote to memory of 1948	4604	MsiExec.exe	rundll32.exe
PID 1948 wrote to memory of 1872	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1872	1948	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f677d2fffd8bce6f18a28b156c937e1e28a83bb2a29e2470e76d9314c2168678.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1580

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 8151345698451E24115F56C39B61E64E
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI2C50.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240594203 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp2F8C.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2F8C.dll
Filesize
269KB

MD5
c7ca67a72a6cad3fc366e6e172539859

SHA1
fd1855605f49c59a0894f7a8b848303eb099f496

SHA256
c705008b6656feabe462ebb2363d6a259581cea574872cb1c6c440dbd23ad4fa

SHA512
5727151a1e2680fd482fa8a882ead4242c1f96b4119f0c7672fc7a5b5d2df8a226b15dc69f6ce0f7ccfe17510f21a0af4c23ecb000bda6f29252daf724c16fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F8C.dll
Filesize
269KB

MD5
c7ca67a72a6cad3fc366e6e172539859

SHA1
fd1855605f49c59a0894f7a8b848303eb099f496

SHA256
c705008b6656feabe462ebb2363d6a259581cea574872cb1c6c440dbd23ad4fa

SHA512
5727151a1e2680fd482fa8a882ead4242c1f96b4119f0c7672fc7a5b5d2df8a226b15dc69f6ce0f7ccfe17510f21a0af4c23ecb000bda6f29252daf724c16fbd

Download Submit
C:\Windows\Installer\MSI2C50.tmp
Filesize
413KB

MD5
58764e57acbeec211e0dc2d07ca2fb3e

SHA1
018b975e148ea657253a8dfd1f78fbf6d7de680b

SHA256
13954d45b324ba4c5c4148cbd469289e62f783b0304aba398cf426a993a5a379

SHA512
52a383131ae466a4ddf72801e7c6832c6508a5caa54f67ef4c09d3658a175a0a85c2d5609ead9c418779b4c14dd7bac5cde8557415d52bed3d22204d12ab07af

Download Submit
C:\Windows\Installer\MSI2C50.tmp
Filesize
413KB

MD5
58764e57acbeec211e0dc2d07ca2fb3e

SHA1
018b975e148ea657253a8dfd1f78fbf6d7de680b

SHA256
13954d45b324ba4c5c4148cbd469289e62f783b0304aba398cf426a993a5a379

SHA512
52a383131ae466a4ddf72801e7c6832c6508a5caa54f67ef4c09d3658a175a0a85c2d5609ead9c418779b4c14dd7bac5cde8557415d52bed3d22204d12ab07af

Download Submit
C:\Windows\Installer\MSI2C50.tmp
Filesize
413KB

MD5
58764e57acbeec211e0dc2d07ca2fb3e

SHA1
018b975e148ea657253a8dfd1f78fbf6d7de680b

SHA256
13954d45b324ba4c5c4148cbd469289e62f783b0304aba398cf426a993a5a379

SHA512
52a383131ae466a4ddf72801e7c6832c6508a5caa54f67ef4c09d3658a175a0a85c2d5609ead9c418779b4c14dd7bac5cde8557415d52bed3d22204d12ab07af

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
67ea86fb6b950faf156f1ad9f9d30c87

SHA1
b49ed0e0142430b4c241d40c1feb58913ffc2319

SHA256
fe9257ad25657541567aeb42c595f00f7d37ca3da871f3d0955351f07e1a3ccb

SHA512
a2a6758356af4ef552c0601488bc6055f1a404ac6b3750ddf45cfdd8e6b3d1d31335aa6d1f8cb9a2db0ab23b6914c01b44f5b6597d35c20557d8316c38e5a78a

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f083348a-6b00-4437-92b8-435b93af2d4c}_OnDiskSnapshotProp
Filesize
5KB

MD5
4e8850eea41c28c8c8f5741ae48278af

SHA1
d88cb3ee06a7953f47b6947c1615271a98d729a7

SHA256
505d01e171a1669b1ed0a18ecade0e0625defc5ef34eb32913152858839f05c1

SHA512
8694103d441a4874c5d5e9b78326706acf8089243a026c1588a4f233fc2f5a5933dd72b2d9e93250e8b268f57c8065f0af36d12d910764602396a2f7a48e57fe

Download Submit
memory/1580-132-0x0000000000000000-mapping.dmp

Download
memory/1872-144-0x0000022202E10000-0x0000022202E19000-memory.dmp

Filesize
36KB

Download
memory/1872-141-0x0000000000000000-mapping.dmp

Download
memory/1948-140-0x00000239DD620000-0x00000239DD690000-memory.dmp

Filesize
448KB

Download
memory/1948-139-0x00000239C4ED0000-0x00000239C4EDA000-memory.dmp

Filesize
40KB

Download
memory/1948-145-0x00007FF963960000-0x00007FF964421000-memory.dmp

Filesize
10.8MB

Download
memory/1948-138-0x00000239C4EE0000-0x00000239C4F0E000-memory.dmp

Filesize
184KB

Download
memory/1948-136-0x0000000000000000-mapping.dmp

Download
memory/1948-153-0x00007FF963960000-0x00007FF964421000-memory.dmp

Filesize
10.8MB

Download
memory/4604-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads