icedid | 7092d744817b17348172c00fe2bc3710794688fe34e200c9c4e7ab6d3ecfda02

General

Target

soon_even.msi
Size

1.4MB
MD5

e97dda068d2b38835208a41cadad4740
SHA1

67adf8ec8479b8132f7a999f7d7556481d584208
SHA256

ebd022c7fed376881b90383028b0a6b18bc68f068cab5b4dadc57690612952e7
SHA512

8da4eff36676d8ed7cf13c0da0a853e19d54eaeb3c3d3ee4cb7945e1db4582fbb879838f91660a6a53f88ac29c12c633e88d713a92152d8116ea3fe6ee0ff634
SSDEEP

24576:nHL0HPEJnFbMyaPb8e1e96Pef7k0bNRjpB4dPURaZ:nr0MJKyaT/BPg1RaZ

Score

10^/10

icedid 3407323965 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3407323965

C2

estrabornhot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

47 2252 rundll32.exe
55 2252 rundll32.exe

flow	pid	process
47	2252	rundll32.exe
55	2252	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

3600 MsiExec.exe
508 rundll32.exe
2252 rundll32.exe

pid	process
3600	MsiExec.exe
508	rundll32.exe
2252	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC59.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC59.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEC59.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e56ebfb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56ebfb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF727.tmp	msiexec.exe
File created	C:\Windows\Installer\e56ebfd.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC59.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEC59.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

4640 msiexec.exe
4640 msiexec.exe
2252 rundll32.exe
2252 rundll32.exe

pid	process
4640	msiexec.exe
4640	msiexec.exe
2252	rundll32.exe
2252	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	4640	msiexec.exe
Token: SeCreateTokenPrivilege	1956	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1956	msiexec.exe
Token: SeLockMemoryPrivilege	1956	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1956	msiexec.exe
Token: SeMachineAccountPrivilege	1956	msiexec.exe
Token: SeTcbPrivilege	1956	msiexec.exe
Token: SeSecurityPrivilege	1956	msiexec.exe
Token: SeTakeOwnershipPrivilege	1956	msiexec.exe
Token: SeLoadDriverPrivilege	1956	msiexec.exe
Token: SeSystemProfilePrivilege	1956	msiexec.exe
Token: SeSystemtimePrivilege	1956	msiexec.exe
Token: SeProfSingleProcessPrivilege	1956	msiexec.exe
Token: SeIncBasePriorityPrivilege	1956	msiexec.exe
Token: SeCreatePagefilePrivilege	1956	msiexec.exe
Token: SeCreatePermanentPrivilege	1956	msiexec.exe
Token: SeBackupPrivilege	1956	msiexec.exe
Token: SeRestorePrivilege	1956	msiexec.exe
Token: SeShutdownPrivilege	1956	msiexec.exe
Token: SeDebugPrivilege	1956	msiexec.exe
Token: SeAuditPrivilege	1956	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1956	msiexec.exe
Token: SeChangeNotifyPrivilege	1956	msiexec.exe
Token: SeRemoteShutdownPrivilege	1956	msiexec.exe
Token: SeUndockPrivilege	1956	msiexec.exe
Token: SeSyncAgentPrivilege	1956	msiexec.exe
Token: SeEnableDelegationPrivilege	1956	msiexec.exe
Token: SeManageVolumePrivilege	1956	msiexec.exe
Token: SeImpersonatePrivilege	1956	msiexec.exe
Token: SeCreateGlobalPrivilege	1956	msiexec.exe
Token: SeBackupPrivilege	556	vssvc.exe
Token: SeRestorePrivilege	556	vssvc.exe
Token: SeAuditPrivilege	556	vssvc.exe
Token: SeBackupPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe
Token: SeTakeOwnershipPrivilege	4640	msiexec.exe
Token: SeRestorePrivilege	4640	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1956 msiexec.exe
1956 msiexec.exe

pid	process
1956	msiexec.exe
1956	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4640 wrote to memory of 4516	4640	msiexec.exe	srtasks.exe
PID 4640 wrote to memory of 4516	4640	msiexec.exe	srtasks.exe
PID 4640 wrote to memory of 3600	4640	msiexec.exe	MsiExec.exe
PID 4640 wrote to memory of 3600	4640	msiexec.exe	MsiExec.exe
PID 3600 wrote to memory of 508	3600	MsiExec.exe	rundll32.exe
PID 3600 wrote to memory of 508	3600	MsiExec.exe	rundll32.exe
PID 508 wrote to memory of 2252	508	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 2252	508	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\soon_even.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1956

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4516

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 3E9A909C83BC41DA0A7842EEB17CDFA1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIEC59.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240577718 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpF244.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF244.dll
Filesize
970KB

MD5
2890e5f0cfc6002f91d3c6fe864fd13b

SHA1
571bf0539400fcd6f803b10be2fa86782110fd2d

SHA256
68a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee

SHA512
157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF244.dll
Filesize
970KB

MD5
2890e5f0cfc6002f91d3c6fe864fd13b

SHA1
571bf0539400fcd6f803b10be2fa86782110fd2d

SHA256
68a083503a2de1e5f5c4709eb1a294157b27616cbb4f7941cc46ed0a1c1166ee

SHA512
157d02900d806b36ec78b14be84719788db3811d205e6e88c5cf279fbd0a03d63f131be26f34ece697d963671e15047a427a004ff54834d2d5969d419beb4883

Download Submit
C:\Windows\Installer\MSIEC59.tmp
Filesize
413KB

MD5
146e479aafa7af37336def7997189975

SHA1
96481247f7addef1c67b700a87a0815cc5318bfa

SHA256
763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd

SHA512
a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba

Download Submit
C:\Windows\Installer\MSIEC59.tmp
Filesize
413KB

MD5
146e479aafa7af37336def7997189975

SHA1
96481247f7addef1c67b700a87a0815cc5318bfa

SHA256
763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd

SHA512
a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba

Download Submit
C:\Windows\Installer\MSIEC59.tmp
Filesize
413KB

MD5
146e479aafa7af37336def7997189975

SHA1
96481247f7addef1c67b700a87a0815cc5318bfa

SHA256
763e08bd69a79b127ff302e01d060e646ddcf66546eeced6e14ceedc3099ebfd

SHA512
a868432cb77754b65bd498fb5f83751876a39f1ce65a4ea598376f9e6e67de6c86bf4d4ec87dbaa264237c2457a1ba14c2bb9efb2420c4484b6a6e17b0bee2ba

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
8c81473ead54051edcbe9e06ef90daaa

SHA1
f2c21997b75a48d70b7682ed7d2b144f607c0d69

SHA256
99cfcfd29e1842f63a6ff47c25ce6540dc7c95ae4cdddd25bf3518bff005cda3

SHA512
513e04fd25f98196b5f9195587def4a74bac2b3da0e321d9b4184af605f21d8a355b5eae287614b69bb5a8e05ad21f1a11b8ebfc0a5357edc51cccccfe6280cd

Download Submit
\??\Volume{d2609e0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f1e4c65d-e767-4fd0-82ef-c6da55c483b3}_OnDiskSnapshotProp
Filesize
5KB

MD5
915c08b3c93f4c8819260dce0b57fb93

SHA1
5a5b7b4490fc7f62ec8fb2ff33cde76e6c1437ab

SHA256
4b6aab7932ef89ebbddfab79f4293cc33c26e2df9823522618a2663e9b3a8518

SHA512
5f93aa710039b3ede72b8deb86ced07010d4e6c8eddec2d98f3e4b4a6f58bb9b118a8850ce874eb0f8703707044e33ae39b60888a3f90998d93e192c766f9f07

Download Submit
memory/508-140-0x000002157F840000-0x000002157F8B0000-memory.dmp

Filesize
448KB

Download
memory/508-141-0x00007FFC0F220000-0x00007FFC0FCE1000-memory.dmp

Filesize
10.8MB

Download
memory/508-139-0x0000021565DD0000-0x0000021565DDA000-memory.dmp

Filesize
40KB

Download
memory/508-145-0x00007FFC0F220000-0x00007FFC0FCE1000-memory.dmp

Filesize
10.8MB

Download
memory/508-138-0x0000021565E00000-0x0000021565E2E000-memory.dmp

Filesize
184KB

Download
memory/508-136-0x0000000000000000-mapping.dmp

Download
memory/2252-142-0x0000000000000000-mapping.dmp

Download
memory/2252-146-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3600-133-0x0000000000000000-mapping.dmp

Download
memory/4516-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads