icedid | 7d6c5cdb5d612d9a8eba3312fae5f97f558a14d9f582042f54fbefdd6fd5b762

General

Target

Setup_Win_13-12-2022_17-31-38.msi
Size

1.4MB
MD5

8b5b12a30a087fbba3b14665a8951b1d
SHA1

b4cb2e10c0d4144f662d70f1635f31037f6db8c8
SHA256

75c398d3a87e736ece65f10550519590a991f02990accf7d28cd52ac453a0a67
SHA512

93465a3fa6874f5bc51a1442b724bdfa5d8af576211506c55dd4af02e3d5dacd7004f84ddd835e609bdf3cd119edfee6666507bacee3e799f9e12179bbfbc08e
SSDEEP

24576:BHL0lPEJnFbMyawb8e1e96Pef7k0bNRjpB4dPURad+J:Br0yJKyaC/BPg1Rad+

Score

10^/10

icedid 1010550214 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1010550214

C2

estrabornhot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

45 2140 rundll32.exe
94 2140 rundll32.exe

flow	pid	process
45	2140	rundll32.exe
94	2140	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

4780 MsiExec.exe
404 rundll32.exe
2140 rundll32.exe

pid	process
4780	MsiExec.exe
404	rundll32.exe
2140	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIEA36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA36.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEA36.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEA36.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF552.tmp	msiexec.exe
File created	C:\Windows\Installer\e56e9bb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e56e9b9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA36.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e56e9b9.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

3408 msiexec.exe
3408 msiexec.exe
2140 rundll32.exe
2140 rundll32.exe

pid	process
3408	msiexec.exe
3408	msiexec.exe
2140	rundll32.exe
2140	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4532	msiexec.exe
Token: SeSecurityPrivilege	3408	msiexec.exe
Token: SeCreateTokenPrivilege	4532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4532	msiexec.exe
Token: SeLockMemoryPrivilege	4532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4532	msiexec.exe
Token: SeMachineAccountPrivilege	4532	msiexec.exe
Token: SeTcbPrivilege	4532	msiexec.exe
Token: SeSecurityPrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeLoadDriverPrivilege	4532	msiexec.exe
Token: SeSystemProfilePrivilege	4532	msiexec.exe
Token: SeSystemtimePrivilege	4532	msiexec.exe
Token: SeProfSingleProcessPrivilege	4532	msiexec.exe
Token: SeIncBasePriorityPrivilege	4532	msiexec.exe
Token: SeCreatePagefilePrivilege	4532	msiexec.exe
Token: SeCreatePermanentPrivilege	4532	msiexec.exe
Token: SeBackupPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeShutdownPrivilege	4532	msiexec.exe
Token: SeDebugPrivilege	4532	msiexec.exe
Token: SeAuditPrivilege	4532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4532	msiexec.exe
Token: SeChangeNotifyPrivilege	4532	msiexec.exe
Token: SeRemoteShutdownPrivilege	4532	msiexec.exe
Token: SeUndockPrivilege	4532	msiexec.exe
Token: SeSyncAgentPrivilege	4532	msiexec.exe
Token: SeEnableDelegationPrivilege	4532	msiexec.exe
Token: SeManageVolumePrivilege	4532	msiexec.exe
Token: SeImpersonatePrivilege	4532	msiexec.exe
Token: SeCreateGlobalPrivilege	4532	msiexec.exe
Token: SeBackupPrivilege	4436	vssvc.exe
Token: SeRestorePrivilege	4436	vssvc.exe
Token: SeAuditPrivilege	4436	vssvc.exe
Token: SeBackupPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe
Token: SeTakeOwnershipPrivilege	3408	msiexec.exe
Token: SeRestorePrivilege	3408	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4532 msiexec.exe
4532 msiexec.exe

pid	process
4532	msiexec.exe
4532	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 3408 wrote to memory of 1156	3408	msiexec.exe	srtasks.exe
PID 3408 wrote to memory of 1156	3408	msiexec.exe	srtasks.exe
PID 3408 wrote to memory of 4780	3408	msiexec.exe	MsiExec.exe
PID 3408 wrote to memory of 4780	3408	msiexec.exe	MsiExec.exe
PID 4780 wrote to memory of 404	4780	MsiExec.exe	rundll32.exe
PID 4780 wrote to memory of 404	4780	MsiExec.exe	rundll32.exe
PID 404 wrote to memory of 2140	404	rundll32.exe	rundll32.exe
PID 404 wrote to memory of 2140	404	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_13-12-2022_17-31-38.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1156

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 10045084E72D3D0C8DEE8820751EDE84
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIEA36.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240577203 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF235.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF235.dll
Filesize
970KB

MD5
6a058edb49674a880e176765872419d8

SHA1
f44ae6593971176b6fe30b481c923bcb85b84b9f

SHA256
b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8

SHA512
c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF235.dll
Filesize
970KB

MD5
6a058edb49674a880e176765872419d8

SHA1
f44ae6593971176b6fe30b481c923bcb85b84b9f

SHA256
b7da73f9002e5f4c2b5d40cd062bc23d12a08775fd47ac0e1fe96d98e211e2a8

SHA512
c9b068e0b5cca7b1687926b7a19667ddf8cdb7a11feeec6e13f253165fc13f9a8538d35c275263251a6143f12baec7d4b2c8022f7dfec006e19e2005adfa265b

Download Submit
C:\Windows\Installer\MSIEA36.tmp
Filesize
413KB

MD5
859c238b1aa6bbcdaaabe3e5d7f1dad6

SHA1
2a8c17ec585a39f6eba3207a08f865f2ef3c47bd

SHA256
d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae

SHA512
95c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7

Download Submit
C:\Windows\Installer\MSIEA36.tmp
Filesize
413KB

MD5
859c238b1aa6bbcdaaabe3e5d7f1dad6

SHA1
2a8c17ec585a39f6eba3207a08f865f2ef3c47bd

SHA256
d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae

SHA512
95c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7

Download Submit
C:\Windows\Installer\MSIEA36.tmp
Filesize
413KB

MD5
859c238b1aa6bbcdaaabe3e5d7f1dad6

SHA1
2a8c17ec585a39f6eba3207a08f865f2ef3c47bd

SHA256
d9bf99badaea49228e48c5428fbfe7ba9932254ea92fdcd7c27ac88833a65dae

SHA512
95c79d22c52c964cd631617d01c2b9cf4a507c3765554148eecba72695354669fed81fec088849256c62b006f175f552031895f48bf97e9d5ab4ba69eecc87e7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
c04954a4e1e28ea1bbe3e587a40ad732

SHA1
3737010395d06e169e441e5a91396e11b3c4d20d

SHA256
3f938d5663fff0bb90bd4cf3a580efefdff659e92d1e4b323ded29db8d782e09

SHA512
fb043fa82590abf9ee960afdc3cc27cc0e4da78518a32296e80a72536c9adcd5db4c4e76eb5d73aa12401767fc9973289d946ddabf721036ee95bdf2bb2c5d30

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bdadcbac-79a5-4dbb-b4a7-4d2e44f6f991}_OnDiskSnapshotProp
Filesize
5KB

MD5
8392adb46aa5fe1984d06706a0031e20

SHA1
714df5d7a507d49f826986a52239ad942db5df29

SHA256
7ab5c1b3fd0983d3c5073bd0afd199f6f6509de0e01df15dce183d51a134aa89

SHA512
74578ea9ef16acaf277040772a481e640ea83f6c985d9791573ad1d4760dbd968b9f8cb4e28dd3bf84c79118b77089e51c8de1bf37007ae38aa06be4f80aa24e

Download Submit
memory/404-141-0x000002D3F9B10000-0x000002D3F9B80000-memory.dmp

Filesize
448KB

Download
memory/404-140-0x00007FF904820000-0x00007FF9052E1000-memory.dmp

Filesize
10.8MB

Download
memory/404-139-0x000002D3F98C0000-0x000002D3F98CA000-memory.dmp

Filesize
40KB

Download
memory/404-136-0x0000000000000000-mapping.dmp

Download
memory/404-145-0x00007FF904820000-0x00007FF9052E1000-memory.dmp

Filesize
10.8MB

Download
memory/404-138-0x000002D3F98F0000-0x000002D3F991E000-memory.dmp

Filesize
184KB

Download
memory/1156-132-0x0000000000000000-mapping.dmp

Download
memory/2140-142-0x0000000000000000-mapping.dmp

Download
memory/2140-146-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/4780-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads