icedid | 09a537a7c4bed33cfb33ae7d7b5360b52e6c1396a893b67b5e71acc28e3f74c2

Resubmissions

04/08/2023, 02:06

230804-cjk49aab2t 10

04/08/2023, 02:05

230804-ch1hjsha28 3

Analysis

max time kernel
145s
max time network
136s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
04/08/2023, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d.dll
Size

527KB
MD5

60f8d1993043c054e0ddb91e11fc184f
SHA1

80d274ff4278baff08418d48c647c8c0604db3ab
SHA256

09a537a7c4bed33cfb33ae7d7b5360b52e6c1396a893b67b5e71acc28e3f74c2
SHA512

007d9ed82a9cb612882afa70f9482d078f7612e913fd6f4b351307b37c5eaaededaf5b1a2aa1ba0a2ebc48888a475b168b5ea2ad3ef1c35a883daf8ece9f795b
SSDEEP

12288:jymcE1WefvUdDpWcc/9scDp6MGuXxGSthFLEXCRF3MK:e6fvUdDp0/9sY6MGuFoCRF3MK

Score

10^/10

icedid 43832328 banker loader persistence trojan

Malware Config

Extracted

Family

icedid

Campaign

43832328

ospertoolsbo.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
1220	Process not Found
1220	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
924	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
472	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe
Token: SeShutdownPrivilege	924	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe
924	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 472	2728	cmd.exe	34
PID 2728 wrote to memory of 472	2728	cmd.exe	34
PID 2728 wrote to memory of 472	2728	cmd.exe	34

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d.dll,#1
1⤵
PID:2100

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2884

C:\Windows\system32\cmd.exe
"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\rundll32.exe
  rundll32 d.dll, vcab /k chitos7685
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-54-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download
memory/924-65-0x000007FEF6260000-0x000007FEF63A3000-memory.dmp

Filesize
1.3MB

Download
memory/924-66-0x000007FF377E0000-0x000007FF377EA000-memory.dmp

Filesize
40KB

Download
memory/924-67-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/924-68-0x000007FEF6260000-0x000007FEF63A3000-memory.dmp

Filesize
1.3MB

Download
memory/924-69-0x000007FF377E0000-0x000007FF377EA000-memory.dmp

Filesize
40KB

Download
memory/924-70-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1220-55-0x0000000076ED2000-0x0000000076ED3000-memory.dmp

Filesize
4KB

Download
memory/1220-56-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1220-63-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1220-64-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download