icedid | eae56a04a2d97fa21725cdada3dbf537c299eb8fa86a71e186c92ac42194cfa6

General

Target

Setup_Win_16-12-2022_16-44-02.msi
Size

1.6MB
MD5

3c73ad35ebf42f6a1d86ccc38c9064bf
SHA1

373b8c8703d210309dbf5c0e16273291cf178410
SHA256

eae56a04a2d97fa21725cdada3dbf537c299eb8fa86a71e186c92ac42194cfa6
SHA512

c92b5b7196197f84b457d8c23964612c907ae72bdeaf4489d95caee2b0c3c0216717905db0194827341922d19f7fb31531a8a7caf79ec6e603c6ea3040b6ff13
SSDEEP

24576:aHL0EvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:ar03glMbr3SWpsWjRMMKIIDB/k

Score

10^/10

icedid 1228806356 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1228806356

C2

klepdrafooip.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

32 2804 rundll32.exe
43 2804 rundll32.exe

flow	pid	process
32	2804	rundll32.exe
43	2804	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

1216 MsiExec.exe
880 rundll32.exe
2804 rundll32.exe

pid	process
1216	MsiExec.exe
880	rundll32.exe
2804	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File created	C:\Windows\Installer\e56ca1b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC00.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC00.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICC00.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e56ca1b.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB73.tmp	msiexec.exe
File created	C:\Windows\Installer\e56ca1d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC00.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICC00.tmp-\WixSharp.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

1132 msiexec.exe
1132 msiexec.exe
2804 rundll32.exe
2804 rundll32.exe

pid	process
1132	msiexec.exe
1132	msiexec.exe
2804	rundll32.exe
2804	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1988	msiexec.exe
Token: SeSecurityPrivilege	1132	msiexec.exe
Token: SeCreateTokenPrivilege	1988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1988	msiexec.exe
Token: SeLockMemoryPrivilege	1988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1988	msiexec.exe
Token: SeMachineAccountPrivilege	1988	msiexec.exe
Token: SeTcbPrivilege	1988	msiexec.exe
Token: SeSecurityPrivilege	1988	msiexec.exe
Token: SeTakeOwnershipPrivilege	1988	msiexec.exe
Token: SeLoadDriverPrivilege	1988	msiexec.exe
Token: SeSystemProfilePrivilege	1988	msiexec.exe
Token: SeSystemtimePrivilege	1988	msiexec.exe
Token: SeProfSingleProcessPrivilege	1988	msiexec.exe
Token: SeIncBasePriorityPrivilege	1988	msiexec.exe
Token: SeCreatePagefilePrivilege	1988	msiexec.exe
Token: SeCreatePermanentPrivilege	1988	msiexec.exe
Token: SeBackupPrivilege	1988	msiexec.exe
Token: SeRestorePrivilege	1988	msiexec.exe
Token: SeShutdownPrivilege	1988	msiexec.exe
Token: SeDebugPrivilege	1988	msiexec.exe
Token: SeAuditPrivilege	1988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1988	msiexec.exe
Token: SeChangeNotifyPrivilege	1988	msiexec.exe
Token: SeRemoteShutdownPrivilege	1988	msiexec.exe
Token: SeUndockPrivilege	1988	msiexec.exe
Token: SeSyncAgentPrivilege	1988	msiexec.exe
Token: SeEnableDelegationPrivilege	1988	msiexec.exe
Token: SeManageVolumePrivilege	1988	msiexec.exe
Token: SeImpersonatePrivilege	1988	msiexec.exe
Token: SeCreateGlobalPrivilege	1988	msiexec.exe
Token: SeBackupPrivilege	4632	vssvc.exe
Token: SeRestorePrivilege	4632	vssvc.exe
Token: SeAuditPrivilege	4632	vssvc.exe
Token: SeBackupPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe
Token: SeTakeOwnershipPrivilege	1132	msiexec.exe
Token: SeRestorePrivilege	1132	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1988 msiexec.exe
1988 msiexec.exe

pid	process
1988	msiexec.exe
1988	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 1132 wrote to memory of 2584	1132	msiexec.exe	srtasks.exe
PID 1132 wrote to memory of 2584	1132	msiexec.exe	srtasks.exe
PID 1132 wrote to memory of 1216	1132	msiexec.exe	MsiExec.exe
PID 1132 wrote to memory of 1216	1132	msiexec.exe	MsiExec.exe
PID 1216 wrote to memory of 880	1216	MsiExec.exe	rundll32.exe
PID 1216 wrote to memory of 880	1216	MsiExec.exe	rundll32.exe
PID 880 wrote to memory of 2804	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2804	880	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_16-12-2022_16-44-02.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2584

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding FEF10BA23FA91752537442108A7EB6EE
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSICC00.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240569484 2 test.cs!X1X3X2.Y1yY.Z3z1Z
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIde89e1f9.msi",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSIde89e1f9.msi
Filesize
1.2MB

MD5
2e39f1486c47b0ea7f3a03b01963c801

SHA1
39774ad2b8251f80647eac7df69aaca01a9d9502

SHA256
cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d

SHA512
0412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae

Download Submit
C:\Users\Admin\AppData\Local\MSIde89e1f9.msi
Filesize
1.2MB

MD5
2e39f1486c47b0ea7f3a03b01963c801

SHA1
39774ad2b8251f80647eac7df69aaca01a9d9502

SHA256
cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d

SHA512
0412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae

Download Submit
C:\Windows\Installer\MSICC00.tmp
Filesize
414KB

MD5
fe611fb385e6e26410bd25fb112810d6

SHA1
e76a1f6842d7c5137539732ca54604f3c033d802

SHA256
09d882fed272c3648bf53a54ffc6c96103c0668ef05c69603ba3c1e045339cb7

SHA512
850978d5846781f50c35711395c5ab7c354cdd21f69fca73b4f6a7150de4e8385a494b62b56fc23b1ed4eff4721ced8a797297fd254baa58d197f36d7eb9e92d

Download Submit
C:\Windows\Installer\MSICC00.tmp
Filesize
414KB

MD5
fe611fb385e6e26410bd25fb112810d6

SHA1
e76a1f6842d7c5137539732ca54604f3c033d802

SHA256
09d882fed272c3648bf53a54ffc6c96103c0668ef05c69603ba3c1e045339cb7

SHA512
850978d5846781f50c35711395c5ab7c354cdd21f69fca73b4f6a7150de4e8385a494b62b56fc23b1ed4eff4721ced8a797297fd254baa58d197f36d7eb9e92d

Download Submit
C:\Windows\Installer\MSICC00.tmp
Filesize
414KB

MD5
fe611fb385e6e26410bd25fb112810d6

SHA1
e76a1f6842d7c5137539732ca54604f3c033d802

SHA256
09d882fed272c3648bf53a54ffc6c96103c0668ef05c69603ba3c1e045339cb7

SHA512
850978d5846781f50c35711395c5ab7c354cdd21f69fca73b4f6a7150de4e8385a494b62b56fc23b1ed4eff4721ced8a797297fd254baa58d197f36d7eb9e92d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
fbd34bcd5f4cab0cb59fb68d4370ad0b

SHA1
d6a047dd8e35e7f2a628f6281c19af1d0df60221

SHA256
48105b69d4b2ddacc8a76e073367688e45f302fb095262e931f29376d0189c32

SHA512
c89eef4c4d5d36a29b5528ed241ee028c556082743afbadff1435c1b675ca439ea9873339c417d618937ea1732624dfb4597c02168de28f38d4d431d3028b6ed

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a512bc84-48d1-4fc8-95d5-e6442b6d8084}_OnDiskSnapshotProp
Filesize
5KB

MD5
ff06122424422d029fe12044c7db52c3

SHA1
8059683359c0ad793f1eedc288ccffdc1500efc0

SHA256
71c415a7ddb1210bfa98eeee45ae4831874d2fd9ea55a3684aa279e28c43a7f5

SHA512
7e78a54ca8a9692301f01fa05b410c0c9595523a6253c42241848a9cb2d429598e8f0b005cd44bf53743ce08b509308fe1c7ffb8c8b920a408c48b74ff5c1fb4

Download Submit
memory/880-138-0x000002B5AB6F0000-0x000002B5AB71E000-memory.dmp

Filesize
184KB

Download
memory/880-139-0x000002B5AB6E0000-0x000002B5AB6EA000-memory.dmp

Filesize
40KB

Download
memory/880-140-0x000002B5C3F20000-0x000002B5C3F90000-memory.dmp

Filesize
448KB

Download
memory/880-141-0x00007FF895790000-0x00007FF896251000-memory.dmp

Filesize
10.8MB

Download
memory/880-136-0x0000000000000000-mapping.dmp

Download
memory/880-148-0x00007FF895790000-0x00007FF896251000-memory.dmp

Filesize
10.8MB

Download
memory/1216-133-0x0000000000000000-mapping.dmp

Download
memory/2584-132-0x0000000000000000-mapping.dmp

Download
memory/2804-142-0x0000000000000000-mapping.dmp

Download
memory/2804-145-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads