icedid | e0d40aaf4e09fa69aaf6ee0858b18a6d9f036737914dd42061d8a10e2595929d

Resubmissions

11-01-2023 12:28

230111-pnnr6afh6y 10

11-01-2023 12:27

230111-pm114afh6x 1

Analysis

max time kernel
243s
max time network
247s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inv_246_Jan-01_Copy.zip
Size

338KB
MD5

476898988e061573ae520e22513b8ce6
SHA1

0509467c8301dbb173ed2b68433e3bfa918cc75e
SHA256

e0d40aaf4e09fa69aaf6ee0858b18a6d9f036737914dd42061d8a10e2595929d
SHA512

40a202c8cf276cc9baf0ae5af3d5869849d31ce798592344770e7a8ad65c9260b08d2dae88be8765c24023e363af9a31137f61349aefa12ee27c939f68e4b793
SSDEEP

6144:f9mKHBHklhbsbNEMepLNgrl803tGv+k0fP/QjvfqtEjOlWMlW:L1KtK6LNylVtbP/QIIxMlW

Score

10^/10

icedid 3131022508 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3131022508

wagringamuk.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

4 1744 rundll32.exe
5 1744 rundll32.exe
6 1744 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1744 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1744 rundll32.exe
1744 rundll32.exe

flow	pid	process
4	1744	rundll32.exe
5	1744	rundll32.exe
6	1744	rundll32.exe

pid	process
1744	rundll32.exe

pid	process
1744	rundll32.exe
1744	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXE7zG.exe

description	pid	process
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE
Token: 33	1748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1748	AUDIODG.EXE
Token: SeRestorePrivilege	1648	7zG.exe
Token: 35	1648	7zG.exe
Token: SeSecurityPrivilege	1648	7zG.exe
Token: SeSecurityPrivilege	1648	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1648 7zG.exe

pid	process
1648	7zG.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 316	2008	cmd.exe	xcopy.exe
PID 2008 wrote to memory of 316	2008	cmd.exe	xcopy.exe
PID 2008 wrote to memory of 316	2008	cmd.exe	xcopy.exe
PID 2008 wrote to memory of 1744	2008	cmd.exe	rundll32.exe
PID 2008 wrote to memory of 1744	2008	cmd.exe	rundll32.exe
PID 2008 wrote to memory of 1744	2008	cmd.exe	rundll32.exe
PID 976 wrote to memory of 1624	976	cmd.exe	xcopy.exe
PID 976 wrote to memory of 1624	976	cmd.exe	xcopy.exe
PID 976 wrote to memory of 1624	976	cmd.exe	xcopy.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Inv_246_Jan-01_Copy.zip
1⤵
PID:1088

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy.iso"
1⤵
PID:1488

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\" -spe -an -ai#7zMap12136:96:7zEvent4592
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c endgasmagg\gaganylita.cmd A B C D E F G H I J K L M N O P s R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h endgasmagg\housebreaking.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:316

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\housebreaking.dat,init
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\endgasmagg\gaganylita.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h endgasmagg\housebreaking.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\housebreaking.dat
Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\endgasmagg\gaganylita.cmd
Filesize
1KB

MD5
f4ea115a31045d06a7c108c27db77563

SHA1
30737067b1496192c4e78f992245d2ff40002ad0

SHA256
785cf3ad80b7bec87cd9666ef2bd0ea384ac83e7208241616e57f93c5bde5531

SHA512
1debd75fbdfa81a0aada1e7b114451a4f5cc617a18b59e378f07bbebd78908107efa6ff86090089e5963ed91c6a017e89fc2310838b7b7edbf0bc20f5ef13f81

Download Submit
C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\endgasmagg\housebreaking.dat
Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
\Users\Admin\AppData\Local\Temp\housebreaking.dat
Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
memory/316-58-0x0000000000000000-mapping.dmp

Download
memory/384-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1624-69-0x0000000000000000-mapping.dmp

Download
memory/1744-60-0x0000000000000000-mapping.dmp

Download
memory/1744-63-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download