icedid | a8b62a647ee1bf728c8c10276da781f8ae6e194aa95c1fb225671913d49869e1

Analysis

max time kernel
122s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2023 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INV_Scan_Jan.lnk
Size

1KB
MD5

fadc02361419018e406c6260200fa66c
SHA1

699e8bd78feaa75fbf411535a2f232038dc7af09
SHA256

4fbda5d7ac20f4ecef665c9379ea86f7dcc2ac7816c97601223f12a51a3e3e68
SHA512

96b87b914130e5eb5d96594797af7aaa6dc908028afead3d79d02912f20a333df0703a5972e228f268decf0d3821f005a0d716b2c69e7767dbc8495e21a4bfef

Score

10^/10

icedid 886885680 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

886885680

umousteraton.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

7 2300 rundll32.exe
43 2300 rundll32.exe
47 2300 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2300 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2300 rundll32.exe
2300 rundll32.exe

flow	pid	process
7	2300	rundll32.exe
43	2300	rundll32.exe
47	2300	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
2300	rundll32.exe

pid	process
2300	rundll32.exe
2300	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2324 wrote to memory of 3676	2324	cmd.exe	cmd.exe
PID 2324 wrote to memory of 3676	2324	cmd.exe	cmd.exe
PID 3676 wrote to memory of 3152	3676	cmd.exe	xcopy.exe
PID 3676 wrote to memory of 3152	3676	cmd.exe	xcopy.exe
PID 3676 wrote to memory of 2300	3676	cmd.exe	rundll32.exe
PID 3676 wrote to memory of 2300	3676	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\INV_Scan_Jan.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hublamjogk\bowsaptoyU.cmd A B C D E F G H I J X L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
2⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hublamjogk\skysurfing.dat C:\Users\Admin\AppData\Local\Temp\*
3⤵
PID:3152

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\skysurfing.dat,init
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\skysurfing.dat
Filesize
514KB

MD5
0b44756101b2f2a79341c08bfebbaf46

SHA1
a7eee2811565316f074f3b3e97eb56c4298eebb4

SHA256
ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd

SHA512
a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794

Download Submit
C:\Users\Admin\AppData\Local\Temp\skysurfing.dat
Filesize
514KB

MD5
0b44756101b2f2a79341c08bfebbaf46

SHA1
a7eee2811565316f074f3b3e97eb56c4298eebb4

SHA256
ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd

SHA512
a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794

Download Submit
memory/2300-134-0x0000000000000000-mapping.dmp

Download
memory/2300-137-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3152-133-0x0000000000000000-mapping.dmp

Download
memory/3676-132-0x0000000000000000-mapping.dmp

Download