icedid | ebd022c7fed376881b90383028b0a6b18bc68f068cab5b4dadc57690612952e7

General

Target

soon_even.msi
Size

1.4MB
MD5

e97dda068d2b38835208a41cadad4740
SHA1

67adf8ec8479b8132f7a999f7d7556481d584208
SHA256

ebd022c7fed376881b90383028b0a6b18bc68f068cab5b4dadc57690612952e7
SHA512

8da4eff36676d8ed7cf13c0da0a853e19d54eaeb3c3d3ee4cb7945e1db4582fbb879838f91660a6a53f88ac29c12c633e88d713a92152d8116ea3fe6ee0ff634
SSDEEP

24576:nHL0HPEJnFbMyaPb8e1e96Pef7k0bNRjpB4dPURaZ:nr0MJKyaT/BPg1RaZ

Score

10^/10

icedid 3407323965 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3407323965

C2

estrabornhot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

56 1744 rundll32.exe
74 1744 rundll32.exe

flow	pid	process
56	1744	rundll32.exe
74	1744	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

4576 MsiExec.exe
5020 rundll32.exe
1744 rundll32.exe

pid	process
4576	MsiExec.exe
5020	rundll32.exe
1744	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File created	C:\Windows\Installer\e5736cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI374C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4046.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI374C.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5736cf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI374C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI374C.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI374C.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\e5736d1.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

5048 msiexec.exe
5048 msiexec.exe
1744 rundll32.exe
1744 rundll32.exe

pid	process
5048	msiexec.exe
5048	msiexec.exe
1744	rundll32.exe
1744	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4500	msiexec.exe
Token: SeSecurityPrivilege	5048	msiexec.exe
Token: SeCreateTokenPrivilege	4500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4500	msiexec.exe
Token: SeLockMemoryPrivilege	4500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4500	msiexec.exe
Token: SeMachineAccountPrivilege	4500	msiexec.exe
Token: SeTcbPrivilege	4500	msiexec.exe
Token: SeSecurityPrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeLoadDriverPrivilege	4500	msiexec.exe
Token: SeSystemProfilePrivilege	4500	msiexec.exe
Token: SeSystemtimePrivilege	4500	msiexec.exe
Token: SeProfSingleProcessPrivilege	4500	msiexec.exe
Token: SeIncBasePriorityPrivilege	4500	msiexec.exe
Token: SeCreatePagefilePrivilege	4500	msiexec.exe
Token: SeCreatePermanentPrivilege	4500	msiexec.exe
Token: SeBackupPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeShutdownPrivilege	4500	msiexec.exe
Token: SeDebugPrivilege	4500	msiexec.exe
Token: SeAuditPrivilege	4500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4500	msiexec.exe
Token: SeChangeNotifyPrivilege	4500	msiexec.exe
Token: SeRemoteShutdownPrivilege	4500	msiexec.exe
Token: SeUndockPrivilege	4500	msiexec.exe
Token: SeSyncAgentPrivilege	4500	msiexec.exe
Token: SeEnableDelegationPrivilege	4500	msiexec.exe
Token: SeManageVolumePrivilege	4500	msiexec.exe
Token: SeImpersonatePrivilege	4500	msiexec.exe
Token: SeCreateGlobalPrivilege	4500	msiexec.exe
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeBackupPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4500 msiexec.exe
4500 msiexec.exe

pid	process
4500	msiexec.exe
4500	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 5048 wrote to memory of 4984	5048	msiexec.exe	srtasks.exe
PID 5048 wrote to memory of 4984	5048	msiexec.exe	srtasks.exe
PID 5048 wrote to memory of 4576	5048	msiexec.exe	MsiExec.exe
PID 5048 wrote to memory of 4576	5048	msiexec.exe	MsiExec.exe
PID 4576 wrote to memory of 5020	4576	MsiExec.exe	rundll32.exe
PID 4576 wrote to memory of 5020	4576	MsiExec.exe	rundll32.exe
PID 5020 wrote to memory of 1744	5020	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 1744	5020	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon_even.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4984

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 0ED9F87EE60BEA45795962B41DBE56D9
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI374C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240596921 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3B82.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3B82.dll
Filesize
970KB

MD5
2890e5f0cfc6002f91d3c6fe864fd13b

SHA1
571bf0539400fcd6f803b10be2fa86782110fd2d

SHA256
68a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee

SHA512
157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B82.dll
Filesize
970KB

MD5
2890e5f0cfc6002f91d3c6fe864fd13b

SHA1
571bf0539400fcd6f803b10be2fa86782110fd2d

SHA256
68a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee

SHA512
157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883

Download Submit
C:\Windows\Installer\MSI374C.tmp
Filesize
413KB

MD5
146e479aafa7af37336def7997189975

SHA1
96481247f7addef1c67b700a87a0815cc5318bfa

SHA256
763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd

SHA512
a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba

Download Submit
C:\Windows\Installer\MSI374C.tmp
Filesize
413KB

MD5
146e479aafa7af37336def7997189975

SHA1
96481247f7addef1c67b700a87a0815cc5318bfa

SHA256
763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd

SHA512
a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba

Download Submit
C:\Windows\Installer\MSI374C.tmp
Filesize
413KB

MD5
146e479aafa7af37336def7997189975

SHA1
96481247f7addef1c67b700a87a0815cc5318bfa

SHA256
763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd

SHA512
a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
eb6fe57ac84c023debeb17626c6a191a

SHA1
3421ea91d54dc3afa5b86046c60862ce16014039

SHA256
3b967ac5b5c7267b0f591ae11b26dd234e01418122e15c833a6b7917e4df1827

SHA512
8fda65c27365a728fe5c10ccbacc68d3ac578f614c861ec0d9f69cdd510e3721d6545020f1297d7fdddcb7a067abdd255c29373bee3b6bad6e765825e2f2dc51

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9f6d89a1-1415-463c-869f-4b50b021bdb3}_OnDiskSnapshotProp
Filesize
5KB

MD5
71d4ead3560b5fb0a9223c14021453cc

SHA1
a631ce2ea9761e9e3f60122ff48a651437af09e6

SHA256
f44917b1d8d4777cac37ec8f2d272dddd0ebe6c57a96f155521e1136166e36eb

SHA512
a055f8d570ffb780ee5d318ce71af3d8bf26e116117b73c5537f19067e6c46877c705601353da97f98417df24f2098330798e22d80846f15b58c60c2042265bb

Download Submit
memory/1744-145-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1744-142-0x0000000000000000-mapping.dmp

Download
memory/4576-133-0x0000000000000000-mapping.dmp

Download
memory/4984-132-0x0000000000000000-mapping.dmp

Download
memory/5020-139-0x000001FC642B0000-0x000001FC642BA000-memory.dmp

Filesize
40KB

Download
memory/5020-136-0x0000000000000000-mapping.dmp

Download
memory/5020-146-0x00007FFBCCB40000-0x00007FFBCD601000-memory.dmp

Filesize
10.8MB

Download
memory/5020-141-0x00007FFBCCB40000-0x00007FFBCD601000-memory.dmp

Filesize
10.8MB

Download
memory/5020-140-0x000001FC7E8C0000-0x000001FC7E930000-memory.dmp

Filesize
448KB

Download
memory/5020-138-0x000001FC642E0000-0x000001FC6430E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads