icedid | 045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d

Resubmissions

17/07/2023, 10:29

230717-mh8t2aca5s 10

14/05/2023, 09:58

230514-lzglfabe43 10

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d.exe
Size

606KB
MD5

1390522ffab99c828865258eb7a6aa8c
SHA1

cc2da386b0bca123c7fe5b7568ca69644ffaf947
SHA256

045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d
SHA512

0dfd1403bf1ac506ceac717c1051375687dd9730c77889e118583160a4168e7a24437109c59a356c961ff4098a1c5a92f1d1add8ab309b30621cae6e3a5119cb
SSDEEP

12288:ylOUH52LLvBH1f4SZ/USfXPiu1+3JxMnsBzXT80ZqC:ylOUH52LdH1gSlUsp+3XMuv8

Score

10^/10

icedid 997059431 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

997059431

gintoonafa.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{93B83129-DDD3-4A96-83FD-84E44E7365F9}.catalogItem	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2800	045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d.exe
2800	045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3712	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d.exe
"C:\Users\Admin\AppData\Local\Temp\045bf7ea6ea419f43ef8cba44dffb9727e205f1b983f418acc655e66b2de8c1d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1556

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu9F8C.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
10f86492068323d56d346641de3c23e3

SHA1
102bec490c60a448f5677cb7cd31bfb66afc6626

SHA256
8c197db8d82434fbbc2c8394dc8f073fef84c356c3bdc87c3b44438c700cf898

SHA512
30ebb9745873244438b10776de068f26cf1bec7db77171b480dc42d42cf4fda594c7bf0a8756a39a749070d179ec84f06b02ce792a462d9cb33931451f26e172

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
680a93a6f3a06b74e464781935b8d685

SHA1
a24313cbb96e0c33bf5cb89eba6f2b0ac103d5cc

SHA256
5d249d697b0f2ee321dfd2bedb20deab5a74e9c6e67c3a44ba7678af87876ef8

SHA512
2bf23804de1d9222b7853821985f6a6c1f8845426c4be2c56367e105ec10ae2d80380bd62e36daf91816d4585f46b36e850ab10b1b6c6f10e1765d5dae3e5899

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
10685a89bb6bab5da0c54b5efab42fc2

SHA1
1c5f7923507b1260c48180abcd0896004bd20374

SHA256
e020f616ddbb26f1fdb9a59c5e402141c024da5d353d4b4ea7cda864f721a592

SHA512
4323f0e9d06bb54b61a572a53dc483f03f5d6a88540d663dda7941f1e3556f673b3b6cadab74071272c711dfcc69065785a95b45ecbbfb3be9569e4a4e598c8c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
88bce416e931382180b470973dee1d48

SHA1
2c5957de232f852ea460803cc5f33b1b7cf6a15a

SHA256
7e921b7ffd1c63762d2c2ee417c764cff50783f7d402d145f3ab77156388c8ff

SHA512
c075ff8cb3919cf9fd432588e5c1d7b691d82a07cb251fafec0dba565187c5c1e802ad944ef06d41e38baa5d7b95b749bbb6b377561f2f445a9b7ee836e33e03

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
123f1f4478e5e2e5791169b7de735bb6

SHA1
62755a69d9fd219729afe5c1455bf52040a00007

SHA256
b0c1ce4004404708093819bafb02700a82d1318e9395be5b078305bf4cb6836f

SHA512
3e27924029e944e8d107d3437e8eed707197803a6d552a61b3632244ae802653c12d56fcad3f13cd93a2ed27348effb1474d94add6c7f73917c5675b51cea709

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
73140a5e08d75313d9ae9dcb22f1d255

SHA1
a7fd3f888e41dfc9b78a259f6ef09f87ffc57ce2

SHA256
a08f66262e46e38a49b8821720606df8983ca0b3a5f9f5f2703b2dfe0bd1b13d

SHA512
5b72ef364705af69ec9d13b7356c15b1671d94466c175d253737fec468eca78d74b3fbc1055fcdc915521a7066981d0645a486c16a7fe0587993e4e742636e2e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a982c87407f574c01a82cf9c9eb473e8

SHA1
b5f0d336ee46ac0670b726ca24899edbcffbce9e

SHA256
4db05d53949cf48a1bb97f0280e208e5f0268dc17fa03de2b35ab74e527163aa

SHA512
993def75161250512e06f077ad1d339e29d3720ce6625b6348d10cdd6809289cd4f8d1ea7c476682bfe642ae7db9925147a57885f52d3b551931da4fdd7815a2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
8ae5c32b21eae6158db2440c2767e2e7

SHA1
c7d8dbe585495b8310fe8b995dc39dc3f4d52229

SHA256
f6faa80118157b93ae56b617e387cbd6a7f70f6611ce53461cb6e43b234819ae

SHA512
5bce5a4871983911afdcf6f8146947334b5fcc7bba5d9a478845535d6b74fa6b423ac2a5e951bea34ccc4aabd8a29902ef95d19cbd0183b207427d7bc1110498

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
70a9554ee358543880e9638f4bc66139

SHA1
c1528f03133a062a2acff48e75e7d651352251dc

SHA256
d84bda13774157b5420f74840c73f54c98ea5f9f413ca18c02c276d65f3c9220

SHA512
fd552cfa0eb205c0a1cb8c107fe5a8f12e3cfad310beb235d24ee71d06750663ff58eeb4336ba5d28c8b9d5ea2b33185a2eb5a55df66a05ab932eaf39d739651

Download Submit
memory/2800-253-0x00000177B7740000-0x00000177B7748000-memory.dmp

Filesize
32KB

Download
memory/2800-252-0x00000177B79B0000-0x00000177B79E5000-memory.dmp

Filesize
212KB

Download
memory/3712-393-0x000001CEA2740000-0x000001CEA2750000-memory.dmp

Filesize
64KB

Download
memory/3712-409-0x000001CEAAA50000-0x000001CEAAA51000-memory.dmp

Filesize
4KB

Download
memory/3712-411-0x000001CEAAA80000-0x000001CEAAA81000-memory.dmp

Filesize
4KB

Download
memory/3712-412-0x000001CEAAA80000-0x000001CEAAA81000-memory.dmp

Filesize
4KB

Download
memory/3712-413-0x000001CEAAB90000-0x000001CEAAB91000-memory.dmp

Filesize
4KB

Download
memory/3712-377-0x000001CEA2640000-0x000001CEA2650000-memory.dmp

Filesize
64KB

Download