icedid | 6b4239bdb1080b21570feba7058d87b35e18bc74c20c68611c2012002b8a0aa3

General

Target

Setup_Win_03-01-2023_08-37-05.msi
Size

772KB
MD5

f2d5895a8e66ef63e687e356dac665cf
SHA1

d5ec3af492980df0bcbca26ceb864177978ef69d
SHA256

6b4239bdb1080b21570feba7058d87b35e18bc74c20c68611c2012002b8a0aa3
SHA512

d1ff00a258a811f395e91dcca6a22e8dd839aef606f74d2ef78391e01d4ce13d490903b6d9378c114ba0f880cb698d76027e62e3832ea1a97fe4ba8cfb4bb1a8
SSDEEP

12288:GwHL0DpPMX/wg4ZqU0UmmhtNOOdpxoPcrDnS34y9RPF8L:vHL02vwglMtNjjoGS3bRPF8L

Score

10^/10

icedid 2957048208 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2957048208

C2

whothitheka.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

48 4820 rundll32.exe
53 4820 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exe

pid process

2868 MsiExec.exe
4556 rundll32.exe
4820 rundll32.exe

flow	pid	process
48	4820	rundll32.exe
53	4820	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rundll32.exe

pid	process
2868	MsiExec.exe
4556	rundll32.exe
4820	rundll32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exerundll32.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6F330B47-2577-43AD-9095-1861BA25889B}	msiexec.exe
File created	C:\Windows\Installer\e579d0d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA038.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA038.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA038.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e579d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA038.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA038.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\e579d0b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

4912 msiexec.exe
4912 msiexec.exe
4820 rundll32.exe
4820 rundll32.exe

pid	process
4912	msiexec.exe
4912	msiexec.exe
4820	rundll32.exe
4820	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	3496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3496	msiexec.exe
Token: SeSecurityPrivilege	4912	msiexec.exe
Token: SeCreateTokenPrivilege	3496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3496	msiexec.exe
Token: SeLockMemoryPrivilege	3496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3496	msiexec.exe
Token: SeMachineAccountPrivilege	3496	msiexec.exe
Token: SeTcbPrivilege	3496	msiexec.exe
Token: SeSecurityPrivilege	3496	msiexec.exe
Token: SeTakeOwnershipPrivilege	3496	msiexec.exe
Token: SeLoadDriverPrivilege	3496	msiexec.exe
Token: SeSystemProfilePrivilege	3496	msiexec.exe
Token: SeSystemtimePrivilege	3496	msiexec.exe
Token: SeProfSingleProcessPrivilege	3496	msiexec.exe
Token: SeIncBasePriorityPrivilege	3496	msiexec.exe
Token: SeCreatePagefilePrivilege	3496	msiexec.exe
Token: SeCreatePermanentPrivilege	3496	msiexec.exe
Token: SeBackupPrivilege	3496	msiexec.exe
Token: SeRestorePrivilege	3496	msiexec.exe
Token: SeShutdownPrivilege	3496	msiexec.exe
Token: SeDebugPrivilege	3496	msiexec.exe
Token: SeAuditPrivilege	3496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3496	msiexec.exe
Token: SeChangeNotifyPrivilege	3496	msiexec.exe
Token: SeRemoteShutdownPrivilege	3496	msiexec.exe
Token: SeUndockPrivilege	3496	msiexec.exe
Token: SeSyncAgentPrivilege	3496	msiexec.exe
Token: SeEnableDelegationPrivilege	3496	msiexec.exe
Token: SeManageVolumePrivilege	3496	msiexec.exe
Token: SeImpersonatePrivilege	3496	msiexec.exe
Token: SeCreateGlobalPrivilege	3496	msiexec.exe
Token: SeBackupPrivilege	3864	vssvc.exe
Token: SeRestorePrivilege	3864	vssvc.exe
Token: SeAuditPrivilege	3864	vssvc.exe
Token: SeBackupPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe
Token: SeTakeOwnershipPrivilege	4912	msiexec.exe
Token: SeRestorePrivilege	4912	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

3496 msiexec.exe
3496 msiexec.exe

pid	process
3496	msiexec.exe
3496	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exerundll32.exe

description	pid	process	target process
PID 4912 wrote to memory of 4520	4912	msiexec.exe	srtasks.exe
PID 4912 wrote to memory of 4520	4912	msiexec.exe	srtasks.exe
PID 4912 wrote to memory of 2868	4912	msiexec.exe	MsiExec.exe
PID 4912 wrote to memory of 2868	4912	msiexec.exe	MsiExec.exe
PID 2868 wrote to memory of 4556	2868	MsiExec.exe	rundll32.exe
PID 2868 wrote to memory of 4556	2868	MsiExec.exe	rundll32.exe
PID 4556 wrote to memory of 4820	4556	rundll32.exe	rundll32.exe
PID 4556 wrote to memory of 4820	4556	rundll32.exe	rundll32.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Setup_Win_03-01-2023_08-37-05.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4520

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 7A22E8A885D0D7CC658518F72A7D517B
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA038.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240623859 2 test.cs!X1X3X2.Y1yY.Z3z1Z
3⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSI55d858b2.msi",init
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

2

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSI55d858b2.msi
Filesize
323KB

MD5
460cf4e821b22e1b3df659a01ee8fb0a

SHA1
1c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8

SHA256
338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a

SHA512
c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4

Download Submit
C:\Users\Admin\AppData\Local\MSI55d858b2.msi
Filesize
323KB

MD5
460cf4e821b22e1b3df659a01ee8fb0a

SHA1
1c5ea14ff5f7be7e3d3a62a0d531fc7d0d0a3bf8

SHA256
338c4e044fcd4f8b7429558c283eb13769e0e6afcbf14e9c6bc64d5cc9e3d79a

SHA512
c7bf8859feb207a1178e82402c82c8e4dbaaeae1de4c5220f22a874a8d01fa1944ad91c1d3157bc3f6c1b964a8ac16ab8d00c65fbfdc5d67c7b390afcbe3aec4

Download Submit
C:\Windows\Installer\MSIA038.tmp
Filesize
414KB

MD5
1ba38de0f34cc60b881c2e4cc37ea294

SHA1
e0d60e2843bbfa08cbf825f1c638cd67c7a2c5c0

SHA256
092ee0c919a6c8266113102ff4391363bb0ef9e067c21ee2d33d9d83d029527d

SHA512
ca9a9c8e44d1deda0b0f3ac10163b50e1c5e84db12acb1f7fca2305a6ebd21930e769f9a2f0a8261eeebdcb4276f3083466bb87841cc063cbaf5cebbabd51314

Download Submit
C:\Windows\Installer\MSIA038.tmp
Filesize
414KB

MD5
1ba38de0f34cc60b881c2e4cc37ea294

SHA1
e0d60e2843bbfa08cbf825f1c638cd67c7a2c5c0

SHA256
092ee0c919a6c8266113102ff4391363bb0ef9e067c21ee2d33d9d83d029527d

SHA512
ca9a9c8e44d1deda0b0f3ac10163b50e1c5e84db12acb1f7fca2305a6ebd21930e769f9a2f0a8261eeebdcb4276f3083466bb87841cc063cbaf5cebbabd51314

Download Submit
C:\Windows\Installer\MSIA038.tmp
Filesize
414KB

MD5
1ba38de0f34cc60b881c2e4cc37ea294

SHA1
e0d60e2843bbfa08cbf825f1c638cd67c7a2c5c0

SHA256
092ee0c919a6c8266113102ff4391363bb0ef9e067c21ee2d33d9d83d029527d

SHA512
ca9a9c8e44d1deda0b0f3ac10163b50e1c5e84db12acb1f7fca2305a6ebd21930e769f9a2f0a8261eeebdcb4276f3083466bb87841cc063cbaf5cebbabd51314

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
588c8eb76535b105d1b43123438a34e9

SHA1
4be70d7de1930506b15a4943c932b3df8e99b25d

SHA256
1a82cac04c5f2ce20c7489d7208ae86e753a1480cbc6205684f3b8a0bb9fd4f6

SHA512
b019d0d0e45208b12acd5f6ab77b3d06242d17a03ee6dfcd2046719326978d5d2f8e28fa4e4b96fb06dc649e1466e52f47c49daa29612e3f39e3f7852a5bbe55

Download Submit
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f251147c-fd06-4ca3-a594-8a80013a963f}_OnDiskSnapshotProp
Filesize
5KB

MD5
a9977872d97636310914b4c6038ca7e2

SHA1
fd23481650168ae9f0f36725ab071da1492b56d8

SHA256
cbf18d44e0dfec3c0b3a18437f1ae9d72fa6b750a867b1e2f133c902c9a70662

SHA512
1682bb4385e48e36286e7ab486b5c8134f7d8e8cdb351479b2eb2a7d6d9d267a152653831d1e69b1a8b5fdbab13f65b57aaaaa0fe4d6521191f2c4af2a8351fe

Download Submit
memory/2868-133-0x0000000000000000-mapping.dmp

Download
memory/4520-132-0x0000000000000000-mapping.dmp

Download
memory/4556-138-0x000001F5D41E0000-0x000001F5D420E000-memory.dmp

Filesize
184KB

Download
memory/4556-141-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

Filesize
10.8MB

Download
memory/4556-140-0x000001F5D5B40000-0x000001F5D5BB0000-memory.dmp

Filesize
448KB

Download
memory/4556-147-0x00007FFE83F40000-0x00007FFE84A01000-memory.dmp

Filesize
10.8MB

Download
memory/4556-139-0x000001F5D41B0000-0x000001F5D41BA000-memory.dmp

Filesize
40KB

Download
memory/4556-136-0x0000000000000000-mapping.dmp

Download
memory/4820-142-0x0000000000000000-mapping.dmp

Download
memory/4820-145-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads