icedid | a3abf56ea83bcb770e4b61745b05d670530d29ae50d9f1bd11cd931cc898a755

General

Target

Document_07-12-2022_20-09-12_PDF.msi
Size

1.2MB
MD5

8b0c350a9acf409690db50979fa8628e
SHA1

fa2bc04d301093a448d78560f86ad9b60930027d
SHA256

99dfb7baafec050861e152a036af86fc0c7663f3c719d58a56dfd9f06f4b8cef
SHA512

01a685fb5a461261baaa15188565ca816712fe3b86a9776cc3b0941c4031a59b324d647446f88e0485d1b5ae60214bb35798341b24cc486fdc758cfec89d5bfc
SSDEEP

24576:wHL0tNrx5zH8h2q1ioC7ZTVVT+XirpTs7sx0QBnoNjla+idlpdIFyF3N0:wr0tNrxeB1BG/F+uTsAx0tlpidvdkyFC

Score

10^/10

icedid 1234857371 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1234857371

C2

ewgahskoot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

29 388 rundll32.exe
47 388 rundll32.exe
48 388 rundll32.exe

flow	pid	process
29	388	rundll32.exe
47	388	rundll32.exe
48	388	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

548 MsiExec.exe
804 rundll32.exe
388 rundll32.exe

pid	process
548	MsiExec.exe
804	rundll32.exe
388	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI1712.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1712.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1712.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571647.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1712.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1712.tmp-\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI251D.tmp	msiexec.exe
File created	C:\Windows\Installer\e571649.msi	msiexec.exe
File created	C:\Windows\Installer\e571647.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

1208 msiexec.exe
1208 msiexec.exe
388 rundll32.exe
388 rundll32.exe

pid	process
1208	msiexec.exe
1208	msiexec.exe
388	rundll32.exe
388	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	476	msiexec.exe
Token: SeSecurityPrivilege	1208	msiexec.exe
Token: SeCreateTokenPrivilege	476	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	476	msiexec.exe
Token: SeLockMemoryPrivilege	476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	476	msiexec.exe
Token: SeMachineAccountPrivilege	476	msiexec.exe
Token: SeTcbPrivilege	476	msiexec.exe
Token: SeSecurityPrivilege	476	msiexec.exe
Token: SeTakeOwnershipPrivilege	476	msiexec.exe
Token: SeLoadDriverPrivilege	476	msiexec.exe
Token: SeSystemProfilePrivilege	476	msiexec.exe
Token: SeSystemtimePrivilege	476	msiexec.exe
Token: SeProfSingleProcessPrivilege	476	msiexec.exe
Token: SeIncBasePriorityPrivilege	476	msiexec.exe
Token: SeCreatePagefilePrivilege	476	msiexec.exe
Token: SeCreatePermanentPrivilege	476	msiexec.exe
Token: SeBackupPrivilege	476	msiexec.exe
Token: SeRestorePrivilege	476	msiexec.exe
Token: SeShutdownPrivilege	476	msiexec.exe
Token: SeDebugPrivilege	476	msiexec.exe
Token: SeAuditPrivilege	476	msiexec.exe
Token: SeSystemEnvironmentPrivilege	476	msiexec.exe
Token: SeChangeNotifyPrivilege	476	msiexec.exe
Token: SeRemoteShutdownPrivilege	476	msiexec.exe
Token: SeUndockPrivilege	476	msiexec.exe
Token: SeSyncAgentPrivilege	476	msiexec.exe
Token: SeEnableDelegationPrivilege	476	msiexec.exe
Token: SeManageVolumePrivilege	476	msiexec.exe
Token: SeImpersonatePrivilege	476	msiexec.exe
Token: SeCreateGlobalPrivilege	476	msiexec.exe
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe
Token: SeBackupPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe
Token: SeTakeOwnershipPrivilege	1208	msiexec.exe
Token: SeRestorePrivilege	1208	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

476 msiexec.exe
476 msiexec.exe

pid	process
476	msiexec.exe
476	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 1208 wrote to memory of 4812	1208	msiexec.exe	srtasks.exe
PID 1208 wrote to memory of 4812	1208	msiexec.exe	srtasks.exe
PID 1208 wrote to memory of 548	1208	msiexec.exe	MsiExec.exe
PID 1208 wrote to memory of 548	1208	msiexec.exe	MsiExec.exe
PID 548 wrote to memory of 804	548	MsiExec.exe	rundll32.exe
PID 548 wrote to memory of 804	548	MsiExec.exe	rundll32.exe
PID 804 wrote to memory of 388	804	rundll32.exe	rundll32.exe
PID 804 wrote to memory of 388	804	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Document_07-12-2022_20-09-12_PDF.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4812

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding A53ECD0631F0753E423B8D4A310A811D
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI1712.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240588750 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp1DAA.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1DAA.dll
Filesize
821KB

MD5
78bb5b0c9f7e2d5cabf36deee8941d80

SHA1
c988e68e09364ffbfaafc5036ae98b91144b3aa2

SHA256
b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

SHA512
5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DAA.dll
Filesize
821KB

MD5
78bb5b0c9f7e2d5cabf36deee8941d80

SHA1
c988e68e09364ffbfaafc5036ae98b91144b3aa2

SHA256
b99aba08a984359703f765f57ea9714232baf2397d774cd8ed81258c1c4896fc

SHA512
5c7e22342a35f963576cdf3a5129a57af7526d2d61ba7fdec6c96014790168f540c810e43180a7f19f3ee86b5bb3c044d972d9783606db1d07b83c1dbfa34c7b

Download Submit
C:\Windows\Installer\MSI1712.tmp
Filesize
413KB

MD5
c3b8eb5198620adf3d33b703c40bcfa1

SHA1
acc7e2cbcff2746762f793360b34d7aabcec116a

SHA256
bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e

SHA512
2255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd

Download Submit
C:\Windows\Installer\MSI1712.tmp
Filesize
413KB

MD5
c3b8eb5198620adf3d33b703c40bcfa1

SHA1
acc7e2cbcff2746762f793360b34d7aabcec116a

SHA256
bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e

SHA512
2255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd

Download Submit
C:\Windows\Installer\MSI1712.tmp
Filesize
413KB

MD5
c3b8eb5198620adf3d33b703c40bcfa1

SHA1
acc7e2cbcff2746762f793360b34d7aabcec116a

SHA256
bedda762c46f1c6908223c34d24039ebffae88f8c6c87873065e112a530c208e

SHA512
2255164ba7a4b4b9c6a50868344175e3b4f5a8906ad29ee1cb19e1147427b1175c49ab1b158c772c11b7c77a846cf603cceea8148559f0acb285da4fb14418fd

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
11.8MB

MD5
8073c0494b4d83ad79dd0f428f4b3d85

SHA1
3bcb31468755edea99d55322dfb2896dabf20ab6

SHA256
973a8a5f36b6e47822157faf7b9383a7e62c2f3104d366528b73c32399b5f980

SHA512
1e47c5569f6252b89a118feae42ba8786c0c5350783f2b747428ffbd3225216d219614295362ab1751890db077dc183315744c572cd5096ec515e0ba1eceace8

Download Submit
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{469e9d2b-e7c9-4b4c-bb7a-ab760a17591a}_OnDiskSnapshotProp
Filesize
5KB

MD5
26ee9fc76700758f3f300e28421805cd

SHA1
71bcdda37cd54d79cc64c4c736cd3a7588431e96

SHA256
1482d0888ac6cb12f83302b8b5a121ab7431702671d6c9b56a9eb91845fc3b43

SHA512
b042d6e23eff3e1af25b05f34860da117e5ae87fa774fe633a09f97dbc36283155fe170b4a7ec9b732b7d90f93625887b7827ded090c64d7cc7e6d3955cb75a4

Download Submit
memory/388-145-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/388-142-0x0000000000000000-mapping.dmp

Download
memory/548-133-0x0000000000000000-mapping.dmp

Download
memory/804-140-0x00007FFC46460000-0x00007FFC46F21000-memory.dmp

Filesize
10.8MB

Download
memory/804-141-0x000001961AD90000-0x000001961AE00000-memory.dmp

Filesize
448KB

Download
memory/804-136-0x0000000000000000-mapping.dmp

Download
memory/804-146-0x00007FFC46460000-0x00007FFC46F21000-memory.dmp

Filesize
10.8MB

Download
memory/804-139-0x000001961AB80000-0x000001961AB8A000-memory.dmp

Filesize
40KB

Download
memory/804-138-0x000001961ABA0000-0x000001961ABCE000-memory.dmp

Filesize
184KB

Download
memory/4812-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads