icedid | aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40

General

Target

$RTKOW1B.zip
Size

827KB
MD5

bd1619082ee07b21fa40d532ef9cb8e4
SHA1

443713056deb34363bed0e165099412d23d4269d
SHA256

aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
SHA512

a19aa3cc69af6e83722bc79d5baa72336ed1bbb1c8297e2b4b068a95f31e51f1d5dde67e6cceebf0d0b4265866a0bd918db6f0f3b024f07383ac13721a6bd207
SSDEEP

24576:KoqpFTwvyQNR53uFPnTsuLJR6LJsDzpDO4lc0:KppFANnu9QmJR6LYK4lc0

Score

10^/10

icedid 3114391984 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3114391984

C2

estrabornhot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

4 876 rundll32.exe
5 876 rundll32.exe
6 876 rundll32.exe
7 984 rundll32.exe
8 876 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

876 rundll32.exe
984 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exerundll32.exe

pid process

876 rundll32.exe
876 rundll32.exe
984 rundll32.exe
984 rundll32.exe

flow	pid	process
4	876	rundll32.exe
5	876	rundll32.exe
6	876	rundll32.exe
7	984	rundll32.exe
8	876	rundll32.exe

pid	process
876	rundll32.exe
984	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	rundll32.exe

pid	process
876	rundll32.exe
876	rundll32.exe
984	rundll32.exe
984	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXE7zG.exe

description	pid	process
Token: 33	1960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1960	AUDIODG.EXE
Token: 33	1960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1960	AUDIODG.EXE
Token: SeRestorePrivilege	596	7zG.exe
Token: 35	596	7zG.exe
Token: SeSecurityPrivilege	596	7zG.exe
Token: SeSecurityPrivilege	596	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

596 7zG.exe

pid	process
596	7zG.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 1544	1104	cmd.exe	xcopy.exe
PID 1104 wrote to memory of 1544	1104	cmd.exe	xcopy.exe
PID 1104 wrote to memory of 1544	1104	cmd.exe	xcopy.exe
PID 1104 wrote to memory of 876	1104	cmd.exe	rundll32.exe
PID 1104 wrote to memory of 876	1104	cmd.exe	rundll32.exe
PID 1104 wrote to memory of 876	1104	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 1592	2040	cmd.exe	xcopy.exe
PID 2040 wrote to memory of 1592	2040	cmd.exe	xcopy.exe
PID 2040 wrote to memory of 1592	2040	cmd.exe	xcopy.exe
PID 1688 wrote to memory of 984	1688	cmd.exe	rundll32.exe
PID 1688 wrote to memory of 984	1688	cmd.exe	rundll32.exe
PID 1688 wrote to memory of 984	1688	cmd.exe	rundll32.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip
1⤵
PID:2028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"
1⤵
PID:1584

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"
1⤵
PID:1588

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap20643:136:7zEvent20319
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:1544

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:1592

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp
1⤵
- Modifies registry class
PID:1064

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp init
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
1⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
Filesize
1KB

MD5
9f19dd31900efd76299b3664eda0cd3a

SHA1
028b44165c9995cae1035e06bb2d15027add44f8

SHA256
43de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f

SHA512
9e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f

Download Submit
\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
memory/876-61-0x0000000000000000-mapping.dmp

Download
memory/876-64-0x0000000000390000-0x0000000000399000-memory.dmp

Filesize
36KB

Download
memory/960-54-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/984-72-0x0000000000000000-mapping.dmp

Download
memory/1544-59-0x0000000000000000-mapping.dmp

Download
memory/1592-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing