icedid | f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb

General

Target

build-064.msi
Size

720KB
MD5

4b5e7a1fbd90cd678b8648ff34de5813
SHA1

efa480263a6d2bf167592b04bd64e0ebe5685318
SHA256

f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb
SHA512

f19664821059994e7e7f07dec13eb61a87ee1b138bb5344c14909bed8315cc27946414f47fbcd011a0a569203542114434fe9a5f9f02bacb101605459f4e4dde
SSDEEP

12288:/wHL0D7MkCPumy9chfA+tC8B0igC+/NHBT1SMut:YHL08/zyt+Q8BtZKBRSZ

Score

10^/10

icedid 787509923 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

787509923

C2

kamintrewftor.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

33 1364 rundll32.exe
71 1364 rundll32.exe
82 1364 rundll32.exe

flow	pid	process
33	1364	rundll32.exe
71	1364	rundll32.exe
82	1364	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

5016 MsiExec.exe
404 rundll32.exe
1364 rundll32.exe

pid	process
5016	MsiExec.exe
404	rundll32.exe
1364	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

rundll32.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSID0D2.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5E4.tmp	msiexec.exe
File created	C:\Windows\Installer\e56d076.msi	msiexec.exe
File created	C:\Windows\Installer\e56d074.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0D2.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID0D2.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d074.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0D2.tmp-\test.cs.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000106161d2e731958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000106161d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900106161d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000106161d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
1364 rundll32.exe
3380 msiexec.exe
3380 msiexec.exe

pid	process
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
3380	msiexec.exe
3380	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3176	msiexec.exe
Token: SeSecurityPrivilege	3380	msiexec.exe
Token: SeCreateTokenPrivilege	3176	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3176	msiexec.exe
Token: SeLockMemoryPrivilege	3176	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3176	msiexec.exe
Token: SeMachineAccountPrivilege	3176	msiexec.exe
Token: SeTcbPrivilege	3176	msiexec.exe
Token: SeSecurityPrivilege	3176	msiexec.exe
Token: SeTakeOwnershipPrivilege	3176	msiexec.exe
Token: SeLoadDriverPrivilege	3176	msiexec.exe
Token: SeSystemProfilePrivilege	3176	msiexec.exe
Token: SeSystemtimePrivilege	3176	msiexec.exe
Token: SeProfSingleProcessPrivilege	3176	msiexec.exe
Token: SeIncBasePriorityPrivilege	3176	msiexec.exe
Token: SeCreatePagefilePrivilege	3176	msiexec.exe
Token: SeCreatePermanentPrivilege	3176	msiexec.exe
Token: SeBackupPrivilege	3176	msiexec.exe
Token: SeRestorePrivilege	3176	msiexec.exe
Token: SeShutdownPrivilege	3176	msiexec.exe
Token: SeDebugPrivilege	3176	msiexec.exe
Token: SeAuditPrivilege	3176	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3176	msiexec.exe
Token: SeChangeNotifyPrivilege	3176	msiexec.exe
Token: SeRemoteShutdownPrivilege	3176	msiexec.exe
Token: SeUndockPrivilege	3176	msiexec.exe
Token: SeSyncAgentPrivilege	3176	msiexec.exe
Token: SeEnableDelegationPrivilege	3176	msiexec.exe
Token: SeManageVolumePrivilege	3176	msiexec.exe
Token: SeImpersonatePrivilege	3176	msiexec.exe
Token: SeCreateGlobalPrivilege	3176	msiexec.exe
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe
Token: SeBackupPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe
Token: SeTakeOwnershipPrivilege	3380	msiexec.exe
Token: SeRestorePrivilege	3380	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3176 msiexec.exe
3176 msiexec.exe

pid	process
3176	msiexec.exe
3176	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 3380 wrote to memory of 1436	3380	msiexec.exe	srtasks.exe
PID 3380 wrote to memory of 1436	3380	msiexec.exe	srtasks.exe
PID 3380 wrote to memory of 5016	3380	msiexec.exe	MsiExec.exe
PID 3380 wrote to memory of 5016	3380	msiexec.exe	MsiExec.exe
PID 5016 wrote to memory of 404	5016	MsiExec.exe	rundll32.exe
PID 5016 wrote to memory of 404	5016	MsiExec.exe	rundll32.exe
PID 404 wrote to memory of 1364	404	rundll32.exe	rundll32.exe
PID 404 wrote to memory of 1364	404	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-064.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1436

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding C839569A89D37D98AB8464C912BC3079
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID0D2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240570750 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpD2F5.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD2F5.dll
Filesize
269KB

MD5
bd7cc8ef67f89c22561ca3cf0d8d5bf4

SHA1
90f4594ae4ca1f39d9cc3e53634a11c04810a1bd

SHA256
f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e

SHA512
754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2F5.dll
Filesize
269KB

MD5
bd7cc8ef67f89c22561ca3cf0d8d5bf4

SHA1
90f4594ae4ca1f39d9cc3e53634a11c04810a1bd

SHA256
f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e

SHA512
754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72

Download Submit
C:\Windows\Installer\MSID0D2.tmp
Filesize
413KB

MD5
d936bc2363e2139a65701b9ad1af9cee

SHA1
842ab6b02347e4a847dbfe0e23801adb0a2a3d7d

SHA256
8b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06

SHA512
68dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1

Download Submit
C:\Windows\Installer\MSID0D2.tmp
Filesize
413KB

MD5
d936bc2363e2139a65701b9ad1af9cee

SHA1
842ab6b02347e4a847dbfe0e23801adb0a2a3d7d

SHA256
8b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06

SHA512
68dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1

Download Submit
C:\Windows\Installer\MSID0D2.tmp
Filesize
413KB

MD5
d936bc2363e2139a65701b9ad1af9cee

SHA1
842ab6b02347e4a847dbfe0e23801adb0a2a3d7d

SHA256
8b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06

SHA512
68dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
e9b81a6d576f7d8ae0dc965d80a2039b

SHA1
ffd1f168a7b036a0a2608c1961b4ece9aeaddeba

SHA256
f4bf2a37a12c0b61905e55d238979b84e37282f4c6ac86a2af43d0a50c8a32b6

SHA512
3c16cf47865b4cd65712ab771bf453caf1e11351a50ac104fbdd7482741cc3117fd526d5502c2f868ffe5a265656b51bbf19f5929cfa8b7e23899d8e84d4215f

Download Submit
\??\Volume{d2616110-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ae487663-db98-4eb1-a88d-25033723e9f9}_OnDiskSnapshotProp
Filesize
5KB

MD5
227369f0fa419ad114a2a785425cb2ad

SHA1
1219adc4f1cd0be2f7869866f6dca767ee7e6fad

SHA256
55719235b86d53db9d1805bd526aa1944de1aa4fa6f01120a4f7a45055636ade

SHA512
17bbb5b5512594df175766a094286c210da64abdb83d56cb0dc6a0f70bafaa37fcea1629c72e9259dc743dfbe14f38ea4e0fceb6762939421096f874013710ec

Download Submit
memory/404-140-0x0000029A8F850000-0x0000029A8F8C0000-memory.dmp

Filesize
448KB

Download
memory/404-139-0x0000029A8EC80000-0x0000029A8EC8A000-memory.dmp

Filesize
40KB

Download
memory/404-138-0x0000029A8EC90000-0x0000029A8ECBE000-memory.dmp

Filesize
184KB

Download
memory/404-150-0x0000029A8ED80000-0x0000029A8F841000-memory.dmp

Filesize
10.8MB

Download
memory/404-136-0x0000000000000000-mapping.dmp

Download
memory/1364-141-0x0000000000000000-mapping.dmp

Download
memory/1364-144-0x000001D930DE0000-0x000001D930DE9000-memory.dmp

Filesize
36KB

Download
memory/1436-132-0x0000000000000000-mapping.dmp

Download
memory/5016-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads