icedid | f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb

General

Target

build-064.msi
Size

720KB
MD5

4b5e7a1fbd90cd678b8648ff34de5813
SHA1

efa480263a6d2bf167592b04bd64e0ebe5685318
SHA256

f0bd3ee5f750d9bff17c13acfcdd96ab42e194319d766053104dee666b58e7bb
SHA512

f19664821059994e7e7f07dec13eb61a87ee1b138bb5344c14909bed8315cc27946414f47fbcd011a0a569203542114434fe9a5f9f02bacb101605459f4e4dde
SSDEEP

12288:/wHL0D7MkCPumy9chfA+tC8B0igC+/NHBT1SMut:YHL08/zyt+Q8BtZKBRSZ

Score

10^/10

icedid 787509923 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

787509923

C2

kamintrewftor.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

60 4260 rundll32.exe
95 4260 rundll32.exe

flow	pid	process
60	4260	rundll32.exe
95	4260	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

1724 MsiExec.exe
3180 rundll32.exe
4260 rundll32.exe

pid	process
1724	MsiExec.exe
3180	rundll32.exe
4260	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIE92D.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e15c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1C9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File created	C:\Windows\Installer\e56e15e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e15c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1C9.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE1C9.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE1C9.tmp-\WixSharp.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exemsiexec.exe

pid process

4260 rundll32.exe
4260 rundll32.exe
4260 rundll32.exe
4260 rundll32.exe
4260 rundll32.exe
4260 rundll32.exe
4536 msiexec.exe
4536 msiexec.exe

pid	process
4260	rundll32.exe
4260	rundll32.exe
4260	rundll32.exe
4260	rundll32.exe
4260	rundll32.exe
4260	rundll32.exe
4536	msiexec.exe
4536	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	632	msiexec.exe
Token: SeSecurityPrivilege	4536	msiexec.exe
Token: SeCreateTokenPrivilege	632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	632	msiexec.exe
Token: SeLockMemoryPrivilege	632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	632	msiexec.exe
Token: SeMachineAccountPrivilege	632	msiexec.exe
Token: SeTcbPrivilege	632	msiexec.exe
Token: SeSecurityPrivilege	632	msiexec.exe
Token: SeTakeOwnershipPrivilege	632	msiexec.exe
Token: SeLoadDriverPrivilege	632	msiexec.exe
Token: SeSystemProfilePrivilege	632	msiexec.exe
Token: SeSystemtimePrivilege	632	msiexec.exe
Token: SeProfSingleProcessPrivilege	632	msiexec.exe
Token: SeIncBasePriorityPrivilege	632	msiexec.exe
Token: SeCreatePagefilePrivilege	632	msiexec.exe
Token: SeCreatePermanentPrivilege	632	msiexec.exe
Token: SeBackupPrivilege	632	msiexec.exe
Token: SeRestorePrivilege	632	msiexec.exe
Token: SeShutdownPrivilege	632	msiexec.exe
Token: SeDebugPrivilege	632	msiexec.exe
Token: SeAuditPrivilege	632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	632	msiexec.exe
Token: SeChangeNotifyPrivilege	632	msiexec.exe
Token: SeRemoteShutdownPrivilege	632	msiexec.exe
Token: SeUndockPrivilege	632	msiexec.exe
Token: SeSyncAgentPrivilege	632	msiexec.exe
Token: SeEnableDelegationPrivilege	632	msiexec.exe
Token: SeManageVolumePrivilege	632	msiexec.exe
Token: SeImpersonatePrivilege	632	msiexec.exe
Token: SeCreateGlobalPrivilege	632	msiexec.exe
Token: SeBackupPrivilege	4920	vssvc.exe
Token: SeRestorePrivilege	4920	vssvc.exe
Token: SeAuditPrivilege	4920	vssvc.exe
Token: SeBackupPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe
Token: SeTakeOwnershipPrivilege	4536	msiexec.exe
Token: SeRestorePrivilege	4536	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

632 msiexec.exe
632 msiexec.exe

pid	process
632	msiexec.exe
632	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4536 wrote to memory of 1148	4536	msiexec.exe	srtasks.exe
PID 4536 wrote to memory of 1148	4536	msiexec.exe	srtasks.exe
PID 4536 wrote to memory of 1724	4536	msiexec.exe	MsiExec.exe
PID 4536 wrote to memory of 1724	4536	msiexec.exe	MsiExec.exe
PID 1724 wrote to memory of 3180	1724	MsiExec.exe	rundll32.exe
PID 1724 wrote to memory of 3180	1724	MsiExec.exe	rundll32.exe
PID 3180 wrote to memory of 4260	3180	rundll32.exe	rundll32.exe
PID 3180 wrote to memory of 4260	3180	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-064.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1148

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E6E48E3A00119162E48F22DECF06C3A0
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIE1C9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240575062 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpE4A8.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE4A8.dll
Filesize
269KB

MD5
bd7cc8ef67f89c22561ca3cf0d8d5bf4

SHA1
90f4594ae4ca1f39d9cc3e53634a11c04810a1bd

SHA256
f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e

SHA512
754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4A8.dll
Filesize
269KB

MD5
bd7cc8ef67f89c22561ca3cf0d8d5bf4

SHA1
90f4594ae4ca1f39d9cc3e53634a11c04810a1bd

SHA256
f98f8234858c399877741dbd33c5b7f80ac5c0cc5ea15ac5aff6880927de307e

SHA512
754924d10e840f6691319de7a9f2f4183daeff5341e72a987d7e3c57a0823181b33f6784abfd29f15cb6912344865f1150a87de589246f975810222083ce5b72

Download Submit
C:\Windows\Installer\MSIE1C9.tmp
Filesize
413KB

MD5
d936bc2363e2139a65701b9ad1af9cee

SHA1
842ab6b02347e4a847dbfe0e23801adb0a2a3d7d

SHA256
8b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06

SHA512
68dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1

Download Submit
C:\Windows\Installer\MSIE1C9.tmp
Filesize
413KB

MD5
d936bc2363e2139a65701b9ad1af9cee

SHA1
842ab6b02347e4a847dbfe0e23801adb0a2a3d7d

SHA256
8b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06

SHA512
68dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1

Download Submit
C:\Windows\Installer\MSIE1C9.tmp
Filesize
413KB

MD5
d936bc2363e2139a65701b9ad1af9cee

SHA1
842ab6b02347e4a847dbfe0e23801adb0a2a3d7d

SHA256
8b00e01a842585de599b5ff608baf61297cda99e965d2af85ff430fc88f62b06

SHA512
68dbbd6ec3c8c49e5598b4c96b92abc63147a56ea3427995b3c88bba3da680781240d61867b6054dda580082545aee46385d5a750fcab7810f1da246fe8914b1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
6bbfc34ba423e13b677b4e9138502b23

SHA1
0c9899403e34919c22c3b1608e07f4bbf025da44

SHA256
d85d0d87654ff0a59e27a9a169dcf39deb9acd6f51f79f054265a80302d7cb1b

SHA512
5c0f8aee5649cf241daf65eb0370ac5f772ce3bc80ca68c57b012c76ac966a77628a767e15f3e988ef18fabc5a221a9d71b4154b3b3b9852f10067ea7f62a045

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{801c7c98-c2f8-4359-b3f0-8fa1ba4a85d4}_OnDiskSnapshotProp
Filesize
5KB

MD5
f86563a33fd67139041a86521b502d8b

SHA1
c21c7b49e6e2ca72aab38e70439018ef254b83be

SHA256
a26d7fc8e7d7f836b4c7a09feb097337a089a2d119aedd428741dad19ba0a6f4

SHA512
2c57f0cc05e73327234edc392573ca4760f17015eadc0f941826acb474cab924de292c7cf8f3a45b01e7aed13b3083165f4d2ba4343519792eef44b236f4c54a

Download Submit
memory/1148-132-0x0000000000000000-mapping.dmp

Download
memory/1724-133-0x0000000000000000-mapping.dmp

Download
memory/3180-140-0x000002294EA10000-0x000002294EA80000-memory.dmp

Filesize
448KB

Download
memory/3180-139-0x0000022936410000-0x000002293641A000-memory.dmp

Filesize
40KB

Download
memory/3180-150-0x00007FF8F2070000-0x00007FF8F2B31000-memory.dmp

Filesize
10.8MB

Download
memory/3180-138-0x0000022936440000-0x000002293646E000-memory.dmp

Filesize
184KB

Download
memory/3180-136-0x0000000000000000-mapping.dmp

Download
memory/4260-141-0x0000000000000000-mapping.dmp

Download
memory/4260-144-0x0000027DE98F0000-0x0000027DE98F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads