icedid | 4d47ae858358361c1620d6f0d083946944cffb4165ecc620522e6156d9009607

General

Target

range_their.msi
Size

1.4MB
MD5

05b0f6ddd315e85d95038ade3d48f28a
SHA1

cb9aa99c2744b4fd1b755c9a3858df869645c24f
SHA256

4d47ae858358361c1620d6f0d083946944cffb4165ecc620522e6156d9009607
SHA512

44d1b19c4c5badb00622025e2426cb58ed2a084834ec3a3e49cefc7f64ce13dc9637e073af506faecc38eaa9a35c1b3886c3f87f08d41af4833771cdc4d8925b
SSDEEP

24576:wHL0kPEJnFbMyaRb8e1e96Pef7k0bNRjpB4dPURaH:wr0PJKyah/BPg1RaH

Score

10^/10

icedid 3407323965 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3407323965

C2

estrabornhot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

78 3040 rundll32.exe
93 3040 rundll32.exe

flow	pid	process
78	3040	rundll32.exe
93	3040	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

2044 MsiExec.exe
3884 rundll32.exe
3040 rundll32.exe

pid	process
2044	MsiExec.exe
3884	rundll32.exe
3040	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E5.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File created	C:\Windows\Installer\e57068a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E5.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e570688.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570688.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E5.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6E5.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI10CA.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

1456 msiexec.exe
1456 msiexec.exe
3040 rundll32.exe
3040 rundll32.exe

pid	process
1456	msiexec.exe
1456	msiexec.exe
3040	rundll32.exe
3040	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	2488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	1456	msiexec.exe
Token: SeCreateTokenPrivilege	2488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2488	msiexec.exe
Token: SeLockMemoryPrivilege	2488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2488	msiexec.exe
Token: SeMachineAccountPrivilege	2488	msiexec.exe
Token: SeTcbPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeLoadDriverPrivilege	2488	msiexec.exe
Token: SeSystemProfilePrivilege	2488	msiexec.exe
Token: SeSystemtimePrivilege	2488	msiexec.exe
Token: SeProfSingleProcessPrivilege	2488	msiexec.exe
Token: SeIncBasePriorityPrivilege	2488	msiexec.exe
Token: SeCreatePagefilePrivilege	2488	msiexec.exe
Token: SeCreatePermanentPrivilege	2488	msiexec.exe
Token: SeBackupPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeShutdownPrivilege	2488	msiexec.exe
Token: SeDebugPrivilege	2488	msiexec.exe
Token: SeAuditPrivilege	2488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2488	msiexec.exe
Token: SeChangeNotifyPrivilege	2488	msiexec.exe
Token: SeRemoteShutdownPrivilege	2488	msiexec.exe
Token: SeUndockPrivilege	2488	msiexec.exe
Token: SeSyncAgentPrivilege	2488	msiexec.exe
Token: SeEnableDelegationPrivilege	2488	msiexec.exe
Token: SeManageVolumePrivilege	2488	msiexec.exe
Token: SeImpersonatePrivilege	2488	msiexec.exe
Token: SeCreateGlobalPrivilege	2488	msiexec.exe
Token: SeBackupPrivilege	4644	vssvc.exe
Token: SeRestorePrivilege	4644	vssvc.exe
Token: SeAuditPrivilege	4644	vssvc.exe
Token: SeBackupPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe
Token: SeTakeOwnershipPrivilege	1456	msiexec.exe
Token: SeRestorePrivilege	1456	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2488 msiexec.exe
2488 msiexec.exe

pid	process
2488	msiexec.exe
2488	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 1456 wrote to memory of 2664	1456	msiexec.exe	srtasks.exe
PID 1456 wrote to memory of 2664	1456	msiexec.exe	srtasks.exe
PID 1456 wrote to memory of 2044	1456	msiexec.exe	MsiExec.exe
PID 1456 wrote to memory of 2044	1456	msiexec.exe	MsiExec.exe
PID 2044 wrote to memory of 3884	2044	MsiExec.exe	rundll32.exe
PID 2044 wrote to memory of 3884	2044	MsiExec.exe	rundll32.exe
PID 3884 wrote to memory of 3040	3884	rundll32.exe	rundll32.exe
PID 3884 wrote to memory of 3040	3884	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\range_their.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2664

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 8B0747697434788E0EEBB7990D579A88
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI6E5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240584546 2 test.cs!Test.CustomActions.MyAction
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\tmpA50.dll",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA50.dll
Filesize
970KB

MD5
c27a1d6ebc0ea34edb928b84031b222e

SHA1
803b1bb8dba1fde73300308171bbca4eae04ec08

SHA256
f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd

SHA512
6f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA50.dll
Filesize
970KB

MD5
c27a1d6ebc0ea34edb928b84031b222e

SHA1
803b1bb8dba1fde73300308171bbca4eae04ec08

SHA256
f634d3e4fd753a64b5eab7a3d74700b84c8bc7ada35b3583550f9f61bf3e6dbd

SHA512
6f128f9dd8fd71a580d07fd32a6131a3c1ea8dae8b87edcd5adbbe2c88777dff5a4ab7ba453e5fca74429b13d1f86b3064482db8cca41e846a3e8fac6fca60c7

Download Submit
C:\Windows\Installer\MSI6E5.tmp
Filesize
413KB

MD5
7b045b56ba2b1ad587a45648e50e4975

SHA1
88dc8c279003919ba2610dd42a127eef562e88e7

SHA256
7ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692

SHA512
9f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722

Download Submit
C:\Windows\Installer\MSI6E5.tmp
Filesize
413KB

MD5
7b045b56ba2b1ad587a45648e50e4975

SHA1
88dc8c279003919ba2610dd42a127eef562e88e7

SHA256
7ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692

SHA512
9f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722

Download Submit
C:\Windows\Installer\MSI6E5.tmp
Filesize
413KB

MD5
7b045b56ba2b1ad587a45648e50e4975

SHA1
88dc8c279003919ba2610dd42a127eef562e88e7

SHA256
7ba315650da329a02499ae02fad5e0aacd98964412b25bfce348af68cc06b692

SHA512
9f99acfbb05eccead3486100ac86097384808c93b01bdfe964bfb91bd6fb931139650da3dab14dd3d0df50b5983c6b733e64205e0afada0452aa8acb79e71722

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
c586978d3cd0515a5de30f01c4449b7b

SHA1
1b2d84fc73209ff0ff11560833a9ceb79c036e51

SHA256
c25f663f91dc89e4e18affaacff14c33517aca4ec4eaf326b6288395d6ca7545

SHA512
e8bc183798059412d392d739020573c7eb02d24ff3d95c843b03ba0e60b4dac6a79ae9291b051585a241e47b318989d0f0beee373f10a70e8fc6bac5d6e97cf7

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ac12721c-a095-4d38-8041-5f72ab752fb7}_OnDiskSnapshotProp
Filesize
5KB

MD5
9c4896f1170fb607bb8f59b74c3b73c9

SHA1
ea267c283bc1f12cb8a8b7b208f58966e5a614b7

SHA256
039ce097133e656dc91816f5a6cb7acb6a210713b9657b38abdc270f052a8d8f

SHA512
7f4bcf3c7f7ed9c71c06679b82b0d12c15d2880094af131cdd85c7b686465618f31ce36314eb85543ea0ae3f32845ed203539fac01390e88d851097bfd533e82

Download Submit
memory/2044-136-0x0000000000000000-mapping.dmp

Download
memory/2664-135-0x0000000000000000-mapping.dmp

Download
memory/3040-149-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3040-145-0x0000000000000000-mapping.dmp

Download
memory/3884-139-0x0000000000000000-mapping.dmp

Download
memory/3884-147-0x00007FFB3C6A0000-0x00007FFB3D161000-memory.dmp

Filesize
10.8MB

Download
memory/3884-144-0x00007FFB3C6A0000-0x00007FFB3D161000-memory.dmp

Filesize
10.8MB

Download
memory/3884-143-0x000002201B5C0000-0x000002201B630000-memory.dmp

Filesize
448KB

Download
memory/3884-142-0x00000220016D0000-0x00000220016DA000-memory.dmp

Filesize
40KB

Download
memory/3884-141-0x00000220016E0000-0x000002200170E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads