icedid | 1e85bf506aeb16fac2ce8e8c873991abe86d5afa2ad0148d57b4f080a675ede8

General

Target

Setup_Win_19-12-2022_13-01-59.msi
Size

1.6MB
MD5

1288db9034ce84b91c7d9a66214917ce
SHA1

1732dca74c60413d35bb7fe95f3485de4c84e095
SHA256

1e85bf506aeb16fac2ce8e8c873991abe86d5afa2ad0148d57b4f080a675ede8
SHA512

9ea1f54d646257ec77b98973224cca610a191456cf565897fa74fda3ff6ea602398c7133d0b641f2746e5c58f30cf31f93f7b221fb499f2aed1420e34df494de
SSDEEP

24576:aHL0lvwglMtNroES7S8asBci5cRMyBAUIqw5NOcH9iIDMNUEer0OVTm10ku2w:ar0eglMbr3SWpsWjRMMKIIDB/k

Score

10^/10

icedid 1228806356 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1228806356

C2

klepdrafooip.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

54 3020 rundll32.exe
58 3020 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

2632 MsiExec.exe
3488 rundll32.exe
3020 rundll32.exe

flow	pid	process
54	3020	rundll32.exe
58	3020	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rundll32.exe

pid	process
2632	MsiExec.exe
3488	rundll32.exe
3020	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSICFE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFE4.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFE4.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFE4.tmp-\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\e57cca6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEF8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File created	C:\Windows\Installer\e57cca8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFE4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e57cca6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

4940 msiexec.exe
4940 msiexec.exe
3020 rundll32.exe
3020 rundll32.exe

pid	process
4940	msiexec.exe
4940	msiexec.exe
3020	rundll32.exe
3020	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1504	msiexec.exe
Token: SeSecurityPrivilege	4940	msiexec.exe
Token: SeCreateTokenPrivilege	1504	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1504	msiexec.exe
Token: SeLockMemoryPrivilege	1504	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1504	msiexec.exe
Token: SeMachineAccountPrivilege	1504	msiexec.exe
Token: SeTcbPrivilege	1504	msiexec.exe
Token: SeSecurityPrivilege	1504	msiexec.exe
Token: SeTakeOwnershipPrivilege	1504	msiexec.exe
Token: SeLoadDriverPrivilege	1504	msiexec.exe
Token: SeSystemProfilePrivilege	1504	msiexec.exe
Token: SeSystemtimePrivilege	1504	msiexec.exe
Token: SeProfSingleProcessPrivilege	1504	msiexec.exe
Token: SeIncBasePriorityPrivilege	1504	msiexec.exe
Token: SeCreatePagefilePrivilege	1504	msiexec.exe
Token: SeCreatePermanentPrivilege	1504	msiexec.exe
Token: SeBackupPrivilege	1504	msiexec.exe
Token: SeRestorePrivilege	1504	msiexec.exe
Token: SeShutdownPrivilege	1504	msiexec.exe
Token: SeDebugPrivilege	1504	msiexec.exe
Token: SeAuditPrivilege	1504	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1504	msiexec.exe
Token: SeChangeNotifyPrivilege	1504	msiexec.exe
Token: SeRemoteShutdownPrivilege	1504	msiexec.exe
Token: SeUndockPrivilege	1504	msiexec.exe
Token: SeSyncAgentPrivilege	1504	msiexec.exe
Token: SeEnableDelegationPrivilege	1504	msiexec.exe
Token: SeManageVolumePrivilege	1504	msiexec.exe
Token: SeImpersonatePrivilege	1504	msiexec.exe
Token: SeCreateGlobalPrivilege	1504	msiexec.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe
Token: SeBackupPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1504 msiexec.exe
1504 msiexec.exe

pid	process
1504	msiexec.exe
1504	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4940 wrote to memory of 3084	4940	msiexec.exe	srtasks.exe
PID 4940 wrote to memory of 3084	4940	msiexec.exe	srtasks.exe
PID 4940 wrote to memory of 2632	4940	msiexec.exe	MsiExec.exe
PID 4940 wrote to memory of 2632	4940	msiexec.exe	MsiExec.exe
PID 2632 wrote to memory of 3488	2632	MsiExec.exe	rundll32.exe
PID 2632 wrote to memory of 3488	2632	MsiExec.exe	rundll32.exe
PID 3488 wrote to memory of 3020	3488	rundll32.exe	rundll32.exe
PID 3488 wrote to memory of 3020	3488	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_19-12-2022_13-01-59.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3084

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 54EE5EE18C14A017152973ED9E7C168F
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSICFE4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240636062 2 test.cs!X1X3X2.Y1yY.Z3z1Z
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIeebd5e4e.msi",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSIeebd5e4e.msi
Filesize
1.2MB

MD5
2e39f1486c47b0ea7f3a03b01963c801

SHA1
39774ad2b8251f80647eac7df69aaca01a9d9502

SHA256
cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d

SHA512
0412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae

Download Submit
C:\Users\Admin\AppData\Local\MSIeebd5e4e.msi
Filesize
1.2MB

MD5
2e39f1486c47b0ea7f3a03b01963c801

SHA1
39774ad2b8251f80647eac7df69aaca01a9d9502

SHA256
cd65a3c349da4da45a26d8d4e3c07ef4045679feb458221a391375e3e328d52d

SHA512
0412565a0df35037a93deaa2621a9b379deb053d488c4cc24492dae6bee6dde34ad23976830c616dd2ecd2dbcbbb373cb2fc18392f36634b7fba7899eca9c7ae

Download Submit
C:\Windows\Installer\MSICFE4.tmp
Filesize
414KB

MD5
36b5eecaf5207376081e459423d3f3fb

SHA1
3ebd5d7e10a09f2f005d369b28200b9ccdcb300c

SHA256
8b80a7f390a25b5ab5e24cff4fb343e66f357844a49e1ea0fa39cbec2e6f3aa3

SHA512
f269a11d69ed8b70eba76e4e61f0d4d0aad324447dbe5e9cabd994d24c9655dbde0acb82ce8cbed1ab65b2eaff588c6c96fec14b490774e5a4db28b286ec5aac

Download Submit
C:\Windows\Installer\MSICFE4.tmp
Filesize
414KB

MD5
36b5eecaf5207376081e459423d3f3fb

SHA1
3ebd5d7e10a09f2f005d369b28200b9ccdcb300c

SHA256
8b80a7f390a25b5ab5e24cff4fb343e66f357844a49e1ea0fa39cbec2e6f3aa3

SHA512
f269a11d69ed8b70eba76e4e61f0d4d0aad324447dbe5e9cabd994d24c9655dbde0acb82ce8cbed1ab65b2eaff588c6c96fec14b490774e5a4db28b286ec5aac

Download Submit
C:\Windows\Installer\MSICFE4.tmp
Filesize
414KB

MD5
36b5eecaf5207376081e459423d3f3fb

SHA1
3ebd5d7e10a09f2f005d369b28200b9ccdcb300c

SHA256
8b80a7f390a25b5ab5e24cff4fb343e66f357844a49e1ea0fa39cbec2e6f3aa3

SHA512
f269a11d69ed8b70eba76e4e61f0d4d0aad324447dbe5e9cabd994d24c9655dbde0acb82ce8cbed1ab65b2eaff588c6c96fec14b490774e5a4db28b286ec5aac

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
6c8fc1db7ce7ebe8f14966ae8fef4b3d

SHA1
641dcad57d027424e7c7f0c7f70175de8805c6e7

SHA256
026f2af7a8c898c226eb991d7a4f975abdfd1bb551806a107bdbf2c57812ff39

SHA512
c0aac0e8af184ac504804de8e29e5555d62f29cf369f3ce22d462946bd108f817497e1bb4782a2e1454a4492eeffe7c021c07e9757dfb4058859770c8d28800e

Download Submit
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8354c29e-d2ee-4fac-bb40-8d26160161ce}_OnDiskSnapshotProp
Filesize
5KB

MD5
54e32bf0a2a6f116285451c607a131a6

SHA1
c4caaf1d5ee2b54179c73c1532223db28a79b094

SHA256
150608e45a75878ddd80c53e51ca34033a34c0d99414d061443de75fe09a82d2

SHA512
c9f1bba8d1e08e0d293eb73eae8c38f2a8643df4d3a885e982fe449ad1d1e30429b8bb8d28b8b471a5cc358cba13105707adb48b3036def994e3475e6d580ebc

Download Submit
memory/2632-133-0x0000000000000000-mapping.dmp

Download
memory/3020-146-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3020-142-0x0000000000000000-mapping.dmp

Download
memory/3084-132-0x0000000000000000-mapping.dmp

Download
memory/3488-138-0x00000279C9560000-0x00000279C958E000-memory.dmp

Filesize
184KB

Download
memory/3488-140-0x00000279C9740000-0x00000279C97B0000-memory.dmp

Filesize
448KB

Download
memory/3488-145-0x00007FF8EBBA0000-0x00007FF8EC661000-memory.dmp

Filesize
10.8MB

Download
memory/3488-141-0x00007FF8EBBA0000-0x00007FF8EC661000-memory.dmp

Filesize
10.8MB

Download
memory/3488-139-0x00000279C9530000-0x00000279C953A000-memory.dmp

Filesize
40KB

Download
memory/3488-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads