icedid | e519b8b79c30ff05cba6b43dc9a6bb03f715c053bb0e8e50abed123cf4f7f9ef

General

Target

Setup_Win_31-12-2022_01-50-16.msi
Size

772KB
MD5

4509edb7effdfc57e288bb7b23fa0180
SHA1

edd9910a9b2774e5a9a36ca096d299b092556016
SHA256

c0a063352598eae28f226207503d864a06f5490497b074a9390927793ea16bfd
SHA512

c6a321a42f6235e89b9c256ccdc2d697437baa07574c4da12e65a8c225a007f5da7a6e9b8e14d88a27de19d7b78b5375e3938c5be9054fa62f645fe2420afda0
SSDEEP

12288:TwHL0DpsMX/wg4ZqU0UmmhtNOOdpxoPcrDnS34y9RPF8L:0HL0tvwglMtNjjoGS3bRPF8L

Score

10^/10

icedid 2957048208 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2957048208

C2

whothitheka.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

31 3168 rundll32.exe
40 3168 rundll32.exe

flow	pid	process
31	3168	rundll32.exe
40	3168	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

1552 MsiExec.exe
2532 rundll32.exe
3168 rundll32.exe

pid	process
1552	MsiExec.exe
2532	rundll32.exe
3168	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI3D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e570254.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D9.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3D9.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3D9.tmp-\WixSharp.dll	rundll32.exe
File created	C:\Windows\Installer\e570252.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570252.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

4896 msiexec.exe
4896 msiexec.exe
3168 rundll32.exe
3168 rundll32.exe

pid	process
4896	msiexec.exe
4896	msiexec.exe
3168	rundll32.exe
3168	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	5040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5040	msiexec.exe
Token: SeSecurityPrivilege	4896	msiexec.exe
Token: SeCreateTokenPrivilege	5040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5040	msiexec.exe
Token: SeLockMemoryPrivilege	5040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5040	msiexec.exe
Token: SeMachineAccountPrivilege	5040	msiexec.exe
Token: SeTcbPrivilege	5040	msiexec.exe
Token: SeSecurityPrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeLoadDriverPrivilege	5040	msiexec.exe
Token: SeSystemProfilePrivilege	5040	msiexec.exe
Token: SeSystemtimePrivilege	5040	msiexec.exe
Token: SeProfSingleProcessPrivilege	5040	msiexec.exe
Token: SeIncBasePriorityPrivilege	5040	msiexec.exe
Token: SeCreatePagefilePrivilege	5040	msiexec.exe
Token: SeCreatePermanentPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeShutdownPrivilege	5040	msiexec.exe
Token: SeDebugPrivilege	5040	msiexec.exe
Token: SeAuditPrivilege	5040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5040	msiexec.exe
Token: SeChangeNotifyPrivilege	5040	msiexec.exe
Token: SeRemoteShutdownPrivilege	5040	msiexec.exe
Token: SeUndockPrivilege	5040	msiexec.exe
Token: SeSyncAgentPrivilege	5040	msiexec.exe
Token: SeEnableDelegationPrivilege	5040	msiexec.exe
Token: SeManageVolumePrivilege	5040	msiexec.exe
Token: SeImpersonatePrivilege	5040	msiexec.exe
Token: SeCreateGlobalPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	424	vssvc.exe
Token: SeRestorePrivilege	424	vssvc.exe
Token: SeAuditPrivilege	424	vssvc.exe
Token: SeBackupPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe
Token: SeTakeOwnershipPrivilege	4896	msiexec.exe
Token: SeRestorePrivilege	4896	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

5040 msiexec.exe
5040 msiexec.exe

pid	process
5040	msiexec.exe
5040	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4896 wrote to memory of 1192	4896	msiexec.exe	srtasks.exe
PID 4896 wrote to memory of 1192	4896	msiexec.exe	srtasks.exe
PID 4896 wrote to memory of 1552	4896	msiexec.exe	MsiExec.exe
PID 4896 wrote to memory of 1552	4896	msiexec.exe	MsiExec.exe
PID 1552 wrote to memory of 2532	1552	MsiExec.exe	rundll32.exe
PID 1552 wrote to memory of 2532	1552	MsiExec.exe	rundll32.exe
PID 2532 wrote to memory of 3168	2532	rundll32.exe	rundll32.exe
PID 2532 wrote to memory of 3168	2532	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_31-12-2022_01-50-16.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1192
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 40568A6ABB70C3AB50A7192CBDDA1CE3
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240583750 2 test.cs!X1X3X2.Y1yY.Z3z1Z
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI688d8e4a.msi",init
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSI688d8e4a.msi

Filesize
323KB

MD5
460cf4e821b22e1b3df659a01ee8fb0a

SHA1
1c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8

SHA256
338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a

SHA512
c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4

Download Submit
C:\Users\Admin\AppData\Local\MSI688d8e4a.msi

Filesize
323KB

MD5
460cf4e821b22e1b3df659a01ee8fb0a

SHA1
1c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8

SHA256
338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a

SHA512
c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4

Download Submit
C:\Windows\Installer\MSI3D9.tmp

Filesize
414KB

MD5
93de80a9ce7643dd46c5486de3bbd321

SHA1
af84880e7259b812abc4d1bd4390d594e05f0f75

SHA256
e389c34819359687adc18cf20534842b9e66dc101ea8497e70d0ae217f7081eb

SHA512
0b0394914c6ca4ae401244f9690760f56937f69e6dc2b65033e3586aaa479508b13ae4b1f5a7308d96834756a8ca1ae97b6f5b360f2c429794c170c42e4e0c16

Download Submit
C:\Windows\Installer\MSI3D9.tmp

Filesize
414KB

MD5
93de80a9ce7643dd46c5486de3bbd321

SHA1
af84880e7259b812abc4d1bd4390d594e05f0f75

SHA256
e389c34819359687adc18cf20534842b9e66dc101ea8497e70d0ae217f7081eb

SHA512
0b0394914c6ca4ae401244f9690760f56937f69e6dc2b65033e3586aaa479508b13ae4b1f5a7308d96834756a8ca1ae97b6f5b360f2c429794c170c42e4e0c16

Download Submit
C:\Windows\Installer\MSI3D9.tmp

Filesize
414KB

MD5
93de80a9ce7643dd46c5486de3bbd321

SHA1
af84880e7259b812abc4d1bd4390d594e05f0f75

SHA256
e389c34819359687adc18cf20534842b9e66dc101ea8497e70d0ae217f7081eb

SHA512
0b0394914c6ca4ae401244f9690760f56937f69e6dc2b65033e3586aaa479508b13ae4b1f5a7308d96834756a8ca1ae97b6f5b360f2c429794c170c42e4e0c16

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b0250316bb07dcff5c175702435b5e0a

SHA1
3fd26ab7e886831d1590e74702400298f340ade7

SHA256
5d0aa6603993a70a68dcc0bf754f67f631b5dcc2a3c8b3a80f58066461ea19f3

SHA512
fe23c3b189c3080720923400cde6e6798b2028601d8c147c98f2f65a06c12518103d2db98d64e9038679037735069f100068674bcb3ad7e1b970c99fe4d900d5

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ec684296-b889-418d-baa0-d6d123547502}_OnDiskSnapshotProp

Filesize
5KB

MD5
580e77a08fc0671b5291623ae95ea37e

SHA1
d3f40b5d54cb673befee8032df8d5913804d3f5d

SHA256
b80189c11fc4558848d431847868dce6dfa8f198c5b88c9fedac0d10419f652f

SHA512
3fe2fc7121178b8e14c2b6eef5d50de651be9b2abb15b0c38f992415cfbc771047cb6f72c25c9d5139d6844523dcbd580387aef8f75d6886cdcaabe7093d3440

Download Submit
memory/1192-132-0x0000000000000000-mapping.dmp

Download
memory/1552-133-0x0000000000000000-mapping.dmp

Download
memory/2532-140-0x000001551CE00000-0x000001551CE70000-memory.dmp

Filesize
448KB

Download
memory/2532-141-0x00007FFF2B870000-0x00007FFF2C331000-memory.dmp

Filesize
10.8MB

Download
memory/2532-145-0x00007FFF2B870000-0x00007FFF2C331000-memory.dmp

Filesize
10.8MB

Download
memory/2532-139-0x00000155026A0000-0x00000155026AA000-memory.dmp

Filesize
40KB

Download
memory/2532-138-0x0000015502960000-0x000001550298E000-memory.dmp

Filesize
184KB

Download
memory/2532-136-0x0000000000000000-mapping.dmp

Download
memory/3168-142-0x0000000000000000-mapping.dmp

Download
memory/3168-146-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads