icedid | c15c7e69d90fd076c43a89bb11cf2a642bf3e354566aeecfb9b58fee4e27372a

General

Target

ZoomInstallerFull.exe
Size

75.4MB
MD5

3d36e5c4caa98515b4cbede14c253676
SHA1

d2e1bd8ee0a2185557e5c01883cdccb53772f7bb
SHA256

c15c7e69d90fd076c43a89bb11cf2a642bf3e354566aeecfb9b58fee4e27372a
SHA512

b234812ba40bfee5dfacacf4d2198949d3636449e34a9f75c062d2bc20c6225edb1c4d25f737c5ecc0d31b1cbbf2960e3ba8ce97f006368871dda2a5cd2e6182
SSDEEP

1572864:upDrQefrQSB+gTC4GB3RA9MLhWG7VYlSGTbANByfGajuTgIrPJGs:cDLfrQQ/FA3RAicfUjByfFIDJ

Score

10^/10

icedid 1441853872 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1441853872

C2

ewgahskoot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 14 IoCs

Processes:

rundll32.exemsiexec.exe

flow	pid	process
36	3352	rundll32.exe
53	3352	rundll32.exe
66	3916	msiexec.exe
72	3916	msiexec.exe
73	3916	msiexec.exe
75	3916	msiexec.exe
76	3916	msiexec.exe
77	3916	msiexec.exe
80	3916	msiexec.exe
93	3916	msiexec.exe
94	3916	msiexec.exe
99	3352	rundll32.exe
107	3352	rundll32.exe
120	3352	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3352 rundll32.exe

pid	process
3352	rundll32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3352 rundll32.exe
3352 rundll32.exe

pid	process
3352	rundll32.exe
3352	rundll32.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3916	msiexec.exe
Token: SeSecurityPrivilege	1820	msiexec.exe
Token: SeCreateTokenPrivilege	3916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3916	msiexec.exe
Token: SeLockMemoryPrivilege	3916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3916	msiexec.exe
Token: SeMachineAccountPrivilege	3916	msiexec.exe
Token: SeTcbPrivilege	3916	msiexec.exe
Token: SeSecurityPrivilege	3916	msiexec.exe
Token: SeTakeOwnershipPrivilege	3916	msiexec.exe
Token: SeLoadDriverPrivilege	3916	msiexec.exe
Token: SeSystemProfilePrivilege	3916	msiexec.exe
Token: SeSystemtimePrivilege	3916	msiexec.exe
Token: SeProfSingleProcessPrivilege	3916	msiexec.exe
Token: SeIncBasePriorityPrivilege	3916	msiexec.exe
Token: SeCreatePagefilePrivilege	3916	msiexec.exe
Token: SeCreatePermanentPrivilege	3916	msiexec.exe
Token: SeBackupPrivilege	3916	msiexec.exe
Token: SeRestorePrivilege	3916	msiexec.exe
Token: SeShutdownPrivilege	3916	msiexec.exe
Token: SeDebugPrivilege	3916	msiexec.exe
Token: SeAuditPrivilege	3916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3916	msiexec.exe
Token: SeChangeNotifyPrivilege	3916	msiexec.exe
Token: SeRemoteShutdownPrivilege	3916	msiexec.exe
Token: SeUndockPrivilege	3916	msiexec.exe
Token: SeSyncAgentPrivilege	3916	msiexec.exe
Token: SeEnableDelegationPrivilege	3916	msiexec.exe
Token: SeManageVolumePrivilege	3916	msiexec.exe
Token: SeImpersonatePrivilege	3916	msiexec.exe
Token: SeCreateGlobalPrivilege	3916	msiexec.exe
Token: SeBackupPrivilege	1768	vssvc.exe
Token: SeRestorePrivilege	1768	vssvc.exe
Token: SeAuditPrivilege	1768	vssvc.exe
Token: SeBackupPrivilege	1820	msiexec.exe
Token: SeRestorePrivilege	1820	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3916 msiexec.exe

pid	process
3916	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ZoomInstallerFull.exe

description	pid	process	target process
PID 4456 wrote to memory of 3352	4456	ZoomInstallerFull.exe	rundll32.exe
PID 4456 wrote to memory of 3352	4456	ZoomInstallerFull.exe	rundll32.exe
PID 4456 wrote to memory of 3916	4456	ZoomInstallerFull.exe	msiexec.exe
PID 4456 wrote to memory of 3916	4456	ZoomInstallerFull.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe
"C:\Users\Admin\AppData\Local\Temp\ZoomInstallerFull.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ikm.aaa, init
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Windows\SYSTEM32\msiexec.exe
msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\ikm.msi
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ikm.aaa
Filesize
374KB

MD5
f371a5d45d6aa7bf79c73c6ac1e27db8

SHA1
fc5cfb8d23f4c4b7b0d866679860a4b51a53f52e

SHA256
a91ab1223bc23763dca1e0bd8d47553b7d3a7d4b8c114504ec67439845519eeb

SHA512
f5ef2ab57d0f309194331c1d45aa30632656f26c17913db325a40a9e4f186346c53e1aa82a0a336fac8d2e664a143e0b8621fc5c00ebca31ec369e19ca91c02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikm.aaa
Filesize
374KB

MD5
f371a5d45d6aa7bf79c73c6ac1e27db8

SHA1
fc5cfb8d23f4c4b7b0d866679860a4b51a53f52e

SHA256
a91ab1223bc23763dca1e0bd8d47553b7d3a7d4b8c114504ec67439845519eeb

SHA512
f5ef2ab57d0f309194331c1d45aa30632656f26c17913db325a40a9e4f186346c53e1aa82a0a336fac8d2e664a143e0b8621fc5c00ebca31ec369e19ca91c02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikm.msi
Filesize
75.1MB

MD5
f7f764ed7be9356b85c73462542b36c3

SHA1
e0a67fa1d899d464ec6a268dcfb1b14de172c582

SHA256
839c1a8a906bd0bce47262a904708ed58eb832a1acae917ecd758ab5a01f3234

SHA512
fafa807291c19bac4da510edc5ccea607b77b0220c5c9090d1eb5a7c3a022f67c113bdf51ef13bc6af830ae3843ca4ea53d96a033fc5aae9714a8708e068b45c

Download Submit
memory/3352-132-0x0000000000000000-mapping.dmp

Download
memory/3352-135-0x00000220354D0000-0x00000220354D9000-memory.dmp

Filesize
36KB

Download
memory/3916-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads