icedid | 5d39b75eae07ccfe77968f0056eeb6feec2b124cd5d52327f4b162827beba604

General

Target

Setup_Win_16-12-2022_16-47-34.msi
Size

1.6MB
MD5

392916da17e4ef4d8c88c778cf75db5a
SHA1

1996bc54416273a26bf938a713f9f35a5aae68a8
SHA256

e8b323a81faf2904459bb4a35bc8e2519850afc9f960ffd06a22f3e197185a9a
SHA512

4c554f32906b3ce50633628afac4a3984f8e5f4039f185d4d8d6d653aa35d6df2eae860d4a64a08e94c4cd4283d56e5118ab5447f2fa53b590ad1cde638b182d
SSDEEP

24576:7HL0HvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:7r0YglMbr3SWpsWjRMMKIIDB/k

Score

10^/10

icedid 1228806356 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1228806356

C2

klepdrafooip.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

27 2752 rundll32.exe
41 2752 rundll32.exe

flow	pid	process
27	2752	rundll32.exe
41	2752	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

2636 MsiExec.exe
3744 rundll32.exe
2752 rundll32.exe

pid	process
2636	MsiExec.exe
3744	rundll32.exe
2752	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e56d5a4.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID76A.tmp-\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\e56d5a6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID76A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID76A.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID76A.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\e56d5a4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID76A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

4692 msiexec.exe
4692 msiexec.exe
2752 rundll32.exe
2752 rundll32.exe

pid	process
4692	msiexec.exe
4692	msiexec.exe
2752	rundll32.exe
2752	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3540	msiexec.exe
Token: SeSecurityPrivilege	4692	msiexec.exe
Token: SeCreateTokenPrivilege	3540	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3540	msiexec.exe
Token: SeLockMemoryPrivilege	3540	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3540	msiexec.exe
Token: SeMachineAccountPrivilege	3540	msiexec.exe
Token: SeTcbPrivilege	3540	msiexec.exe
Token: SeSecurityPrivilege	3540	msiexec.exe
Token: SeTakeOwnershipPrivilege	3540	msiexec.exe
Token: SeLoadDriverPrivilege	3540	msiexec.exe
Token: SeSystemProfilePrivilege	3540	msiexec.exe
Token: SeSystemtimePrivilege	3540	msiexec.exe
Token: SeProfSingleProcessPrivilege	3540	msiexec.exe
Token: SeIncBasePriorityPrivilege	3540	msiexec.exe
Token: SeCreatePagefilePrivilege	3540	msiexec.exe
Token: SeCreatePermanentPrivilege	3540	msiexec.exe
Token: SeBackupPrivilege	3540	msiexec.exe
Token: SeRestorePrivilege	3540	msiexec.exe
Token: SeShutdownPrivilege	3540	msiexec.exe
Token: SeDebugPrivilege	3540	msiexec.exe
Token: SeAuditPrivilege	3540	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3540	msiexec.exe
Token: SeChangeNotifyPrivilege	3540	msiexec.exe
Token: SeRemoteShutdownPrivilege	3540	msiexec.exe
Token: SeUndockPrivilege	3540	msiexec.exe
Token: SeSyncAgentPrivilege	3540	msiexec.exe
Token: SeEnableDelegationPrivilege	3540	msiexec.exe
Token: SeManageVolumePrivilege	3540	msiexec.exe
Token: SeImpersonatePrivilege	3540	msiexec.exe
Token: SeCreateGlobalPrivilege	3540	msiexec.exe
Token: SeBackupPrivilege	4924	vssvc.exe
Token: SeRestorePrivilege	4924	vssvc.exe
Token: SeAuditPrivilege	4924	vssvc.exe
Token: SeBackupPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3540 msiexec.exe
3540 msiexec.exe

pid	process
3540	msiexec.exe
3540	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4692 wrote to memory of 4276	4692	msiexec.exe	srtasks.exe
PID 4692 wrote to memory of 4276	4692	msiexec.exe	srtasks.exe
PID 4692 wrote to memory of 2636	4692	msiexec.exe	MsiExec.exe
PID 4692 wrote to memory of 2636	4692	msiexec.exe	MsiExec.exe
PID 2636 wrote to memory of 3744	2636	MsiExec.exe	rundll32.exe
PID 2636 wrote to memory of 3744	2636	MsiExec.exe	rundll32.exe
PID 3744 wrote to memory of 2752	3744	rundll32.exe	rundll32.exe
PID 3744 wrote to memory of 2752	3744	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_16-12-2022_16-47-34.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4276

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 0980C2872067E6990E05DAF7B62481DC
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID76A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240572437 2 test.cs!X1X3X2.Y1yY.Z3z1Z
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI6cf64a95.msi",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSI6cf64a95.msi
Filesize
1.2MB

MD5
2e39f1486c47b0ea7f3a03b01963c801

SHA1
39774ad2b8251f80647eac7df69aaca01a9d9502

SHA256
cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d

SHA512
0412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae

Download Submit
C:\Users\Admin\AppData\Local\MSI6cf64a95.msi
Filesize
1.2MB

MD5
2e39f1486c47b0ea7f3a03b01963c801

SHA1
39774ad2b8251f80647eac7df69aaca01a9d9502

SHA256
cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d

SHA512
0412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae

Download Submit
C:\Windows\Installer\MSID76A.tmp
Filesize
414KB

MD5
70df6dba7c06a4352493b4ba091f903b

SHA1
867c42e5a34517c23a1fc0521657c8aa8c56ce73

SHA256
28784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c

SHA512
38c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850

Download Submit
C:\Windows\Installer\MSID76A.tmp
Filesize
414KB

MD5
70df6dba7c06a4352493b4ba091f903b

SHA1
867c42e5a34517c23a1fc0521657c8aa8c56ce73

SHA256
28784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c

SHA512
38c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850

Download Submit
C:\Windows\Installer\MSID76A.tmp
Filesize
414KB

MD5
70df6dba7c06a4352493b4ba091f903b

SHA1
867c42e5a34517c23a1fc0521657c8aa8c56ce73

SHA256
28784b9fd983e17834d8026b8ea8fcdef49fb9fd0808be02ee6360a698dbdd0c

SHA512
38c22e0079d7835b0004a0cee7179a376d21691d6940ebd7f62d3a5f047fd92bcae1c2190be0b8599feaf8078c981b460dd5b53d4f476ba726c7f0b4e2209850

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
f53e77e48aaf152a2fab266ecd60eaf2

SHA1
202212d72aff9030995fcd7b7eca0921498ffd91

SHA256
e4a8ced8e86e00ebf3b3fe9e6d48345ac9dcb32939a44c4f13a90844fce8e54d

SHA512
12a02c8e0c7a89153d2e2068ef7dc7f194d1a10a1df418f36fef23dc8b434c832672d8f83e58ec49c55d004a3b922e29daac6a44017ff7680a5e65409f87be11

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ebbc2651-66bd-4749-a49f-8ca6b997393f}_OnDiskSnapshotProp
Filesize
5KB

MD5
af1c4b19d5e37f23099f0a8257d4c2c2

SHA1
012973bf142c2da033fe197c3577e5648833ac87

SHA256
d9bd30333a7d5e32e4b31e440043b9e69076a309191c3099e6f51dae292c4d8e

SHA512
2f3765a7b3388ce0084a30153847c9ea8aff1463a6508db54d5641975c1b4e5b1539dbb40d2ad278acc709b21061882e0e57e81d376e7f4ae171fa1694e43279

Download Submit
memory/2636-133-0x0000000000000000-mapping.dmp

Download
memory/2752-145-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/2752-142-0x0000000000000000-mapping.dmp

Download
memory/3744-141-0x000001FEDE3E0000-0x000001FEDEEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-136-0x0000000000000000-mapping.dmp

Download
memory/3744-140-0x000001FEDEFC0000-0x000001FEDF030000-memory.dmp

Filesize
448KB

Download
memory/3744-148-0x000001FEDE3E0000-0x000001FEDEEA1000-memory.dmp

Filesize
10.8MB

Download
memory/3744-139-0x000001FEDE2D0000-0x000001FEDE2DA000-memory.dmp

Filesize
40KB

Download
memory/3744-138-0x000001FEDE2E0000-0x000001FEDE30E000-memory.dmp

Filesize
184KB

Download
memory/4276-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads