icedid | de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b

General

Target

de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b.msi
Size

720KB
MD5

67d8f0f4203f74c7dc9c3ea8a00ab6b8
SHA1

ca6fd6caed882f183bc25963c4ea7f11923d7680
SHA256

de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b
SHA512

3b71d35bd608d6f1b970faeb641b9347dd48f686295b18ffac96f121c227c203527892ef298705687a9084bd2aca2171b23d52316c337891a63ef00e85c1b366
SSDEEP

12288:QwHL0D7lkCPumy9chfA+tl8B0igC+/NHBh1SMHs:lHL01/zyt+b8BtZKBzSE

Score

10^/10

icedid 787509923 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

787509923

C2

kamintrewftor.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

51 4824 rundll32.exe

flow	pid	process
51	4824	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

1040 MsiExec.exe
1524 rundll32.exe
4824 rundll32.exe

pid	process
1040	MsiExec.exe
1524	rundll32.exe
4824	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e585678.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5704.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5704.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5704.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EC6.tmp	msiexec.exe
File created	C:\Windows\Installer\e58567a.msi	msiexec.exe
File created	C:\Windows\Installer\e585678.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5704.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5704.tmp-\CustomAction.config	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

4824 rundll32.exe
4824 rundll32.exe
4824 rundll32.exe
4824 rundll32.exe
684 msiexec.exe
684 msiexec.exe
4824 rundll32.exe
4824 rundll32.exe

pid	process
4824	rundll32.exe
4824	rundll32.exe
4824	rundll32.exe
4824	rundll32.exe
684	msiexec.exe
684	msiexec.exe
4824	rundll32.exe
4824	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3048	msiexec.exe
Token: SeSecurityPrivilege	684	msiexec.exe
Token: SeCreateTokenPrivilege	3048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3048	msiexec.exe
Token: SeLockMemoryPrivilege	3048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3048	msiexec.exe
Token: SeMachineAccountPrivilege	3048	msiexec.exe
Token: SeTcbPrivilege	3048	msiexec.exe
Token: SeSecurityPrivilege	3048	msiexec.exe
Token: SeTakeOwnershipPrivilege	3048	msiexec.exe
Token: SeLoadDriverPrivilege	3048	msiexec.exe
Token: SeSystemProfilePrivilege	3048	msiexec.exe
Token: SeSystemtimePrivilege	3048	msiexec.exe
Token: SeProfSingleProcessPrivilege	3048	msiexec.exe
Token: SeIncBasePriorityPrivilege	3048	msiexec.exe
Token: SeCreatePagefilePrivilege	3048	msiexec.exe
Token: SeCreatePermanentPrivilege	3048	msiexec.exe
Token: SeBackupPrivilege	3048	msiexec.exe
Token: SeRestorePrivilege	3048	msiexec.exe
Token: SeShutdownPrivilege	3048	msiexec.exe
Token: SeDebugPrivilege	3048	msiexec.exe
Token: SeAuditPrivilege	3048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3048	msiexec.exe
Token: SeChangeNotifyPrivilege	3048	msiexec.exe
Token: SeRemoteShutdownPrivilege	3048	msiexec.exe
Token: SeUndockPrivilege	3048	msiexec.exe
Token: SeSyncAgentPrivilege	3048	msiexec.exe
Token: SeEnableDelegationPrivilege	3048	msiexec.exe
Token: SeManageVolumePrivilege	3048	msiexec.exe
Token: SeImpersonatePrivilege	3048	msiexec.exe
Token: SeCreateGlobalPrivilege	3048	msiexec.exe
Token: SeBackupPrivilege	4568	vssvc.exe
Token: SeRestorePrivilege	4568	vssvc.exe
Token: SeAuditPrivilege	4568	vssvc.exe
Token: SeBackupPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3048 msiexec.exe
3048 msiexec.exe

pid	process
3048	msiexec.exe
3048	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 684 wrote to memory of 2024	684	msiexec.exe	srtasks.exe
PID 684 wrote to memory of 2024	684	msiexec.exe	srtasks.exe
PID 684 wrote to memory of 1040	684	msiexec.exe	MsiExec.exe
PID 684 wrote to memory of 1040	684	msiexec.exe	MsiExec.exe
PID 1040 wrote to memory of 1524	1040	MsiExec.exe	rundll32.exe
PID 1040 wrote to memory of 1524	1040	MsiExec.exe	rundll32.exe
PID 1524 wrote to memory of 4824	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 4824	1524	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\de81ef356acc2e199252f8fe2a894c36c6e327d5efd3abaaa7df477f3942e33b.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2024

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 9FFB8B7C837094EA0C7CD8659CEA648F
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI5704.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670640 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp5A12.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5A12.dll
Filesize
269KB

MD5
fe23c1657eccf74fc9e485ded167f630

SHA1
f707f77dfb0f3f23da5e4dce506b4558208055ad

SHA256
afe2b43e94e5d692cef60520a7f7b144cedb1d91fe9b4ad49aa50a3a123c326a

SHA512
831324000bde8ca56652465e1ed33ea812369513e930a694a96f82b45b9f7e4aac8a21f5f6206da9dc75b4e38f4cc09f9d9cf71ad15c7ced0e44d7771a705a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A12.dll
Filesize
269KB

MD5
fe23c1657eccf74fc9e485ded167f630

SHA1
f707f77dfb0f3f23da5e4dce506b4558208055ad

SHA256
afe2b43e94e5d692cef60520a7f7b144cedb1d91fe9b4ad49aa50a3a123c326a

SHA512
831324000bde8ca56652465e1ed33ea812369513e930a694a96f82b45b9f7e4aac8a21f5f6206da9dc75b4e38f4cc09f9d9cf71ad15c7ced0e44d7771a705a89

Download Submit
C:\Windows\Installer\MSI5704.tmp
Filesize
413KB

MD5
b5a9278e30c10a94be5d8c7242eb1542

SHA1
0b9551bd0f7abc9c0a21014e73c4b5800420aee6

SHA256
e1bd934ca2a5b3cfc16f71758ffb0a00ec026eead4693409fa3a3af470935aff

SHA512
0f5e9a429c20b9eb089ab928022ea1dc3a45c3ac5b381274c33ff02c9f45bcca05d428db8221928e312540bc064afa7616d21f78ea050af41d2829c8c061161c

Download Submit
C:\Windows\Installer\MSI5704.tmp
Filesize
413KB

MD5
b5a9278e30c10a94be5d8c7242eb1542

SHA1
0b9551bd0f7abc9c0a21014e73c4b5800420aee6

SHA256
e1bd934ca2a5b3cfc16f71758ffb0a00ec026eead4693409fa3a3af470935aff

SHA512
0f5e9a429c20b9eb089ab928022ea1dc3a45c3ac5b381274c33ff02c9f45bcca05d428db8221928e312540bc064afa7616d21f78ea050af41d2829c8c061161c

Download Submit
C:\Windows\Installer\MSI5704.tmp
Filesize
413KB

MD5
b5a9278e30c10a94be5d8c7242eb1542

SHA1
0b9551bd0f7abc9c0a21014e73c4b5800420aee6

SHA256
e1bd934ca2a5b3cfc16f71758ffb0a00ec026eead4693409fa3a3af470935aff

SHA512
0f5e9a429c20b9eb089ab928022ea1dc3a45c3ac5b381274c33ff02c9f45bcca05d428db8221928e312540bc064afa7616d21f78ea050af41d2829c8c061161c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
59e202d95c4fc61729261105261036a0

SHA1
a359667783dbdd510d013cdfc4c30d65c5b86602

SHA256
7e480b8fe067607391fe5f4ccabf20b95f1e28e3a23efc40ab82b7a9ef27bd4e

SHA512
55bfd41dd2793c5a22cc8edd4b1189c252278b6214ede032986fd20024cb97d8f3f8541253d3f68df54004f6675a5a81c4318f8ccedcac1c847bc1246808f7a5

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{843cd9f0-2c6f-4e1e-9c1b-9dcde553683c}_OnDiskSnapshotProp
Filesize
5KB

MD5
1f7ed7e8ff6e10f8b89d9d3192647bb7

SHA1
8b901547ab1a91d851d4584357f691d0f59ce2da

SHA256
954a45f888db0d92f194de31a6345c3e9b14489cc976efbb024538f17ad7accf

SHA512
010832fa90af0f5d299809196c6de739c08498c03cb09f7cf1862b1e54fe54a14bca3d5d80b230bd99ca55f3ca17e9202be54c70721d111175e2be9cfeaaf34a

Download Submit
memory/1040-133-0x0000000000000000-mapping.dmp

Download
memory/1524-140-0x00000248E2920000-0x00000248E2990000-memory.dmp

Filesize
448KB

Download
memory/1524-139-0x00000248E0DE0000-0x00000248E0DEA000-memory.dmp

Filesize
40KB

Download
memory/1524-147-0x00007FFBDB3D0000-0x00007FFBDBE91000-memory.dmp

Filesize
10.8MB

Download
memory/1524-138-0x00000248E2720000-0x00000248E274E000-memory.dmp

Filesize
184KB

Download
memory/1524-136-0x0000000000000000-mapping.dmp

Download
memory/1524-153-0x00007FFBDB3D0000-0x00007FFBDBE91000-memory.dmp

Filesize
10.8MB

Download
memory/2024-132-0x0000000000000000-mapping.dmp

Download
memory/4824-141-0x0000000000000000-mapping.dmp

Download
memory/4824-144-0x000001FD62F70000-0x000001FD62F79000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads