icedid | b8c26e94d120e5193d02e67b46313427744398e3654c9c0f43b6e517d89013b4

Analysis

max time kernel
153s
max time network
160s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

statement[2023.10.11_08-07].vbs
Size

1012KB
MD5

c2ed082344dfcd3ef0a19785d7f19bda
SHA1

68e4dccdf926a417d88bd3e17e6d3b93d58f0401
SHA256

b8c26e94d120e5193d02e67b46313427744398e3654c9c0f43b6e517d89013b4
SHA512

e5af5beee7ace860051bfed14f58e8052284e3f51eaa8a8de668b75b37b9459bb4573b22e14caa2c8e207f0ed762ab66a38d1c8d36c225c824b4117caba435f1
SSDEEP

6144:dpMZ7yVsu6JErWErEb1ZcaE+oCZowQlroOdqHvwt5hi4IrOU3RqULOSPOmTLGnkF:3AE+JoGP65hQJRmk0ckVu

Score

10^/10

icedid 361893872 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

361893872

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 6 IoCs

flow	pid	Process
8	2560	rundll32.exe
15	2560	rundll32.exe
17	2560	rundll32.exe
18	2560	rundll32.exe
19	2560	rundll32.exe
20	2560	rundll32.exe

Loads dropped DLL 5 IoCs

pid	Process
1756	regsvr32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe
2560	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2904	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2008	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\CLSID\{811DF81C-8B4C-FBCA-0CCF-88388F8038CC}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\CLSID\{811DF81C-8B4C-FBCA-0CCF-88388F8038CC}\ = 77d3f066cc94139f46ca905f7ac182fdc833e60a56c18d122cc1f2cdc6006e8e48757d582bd82230ec396d43ad2eee383ddc34588ddfcc4d10a9a62bbda708372f0d25b3bfda2da07b7293af001b027e5a1c1dd0b52420f7e5481d77b87fc5f7d578d386aea939ccabb5b162d502bc6e1af2968cf317198da3c30695b42dc4dd17f07237cb5a1b8118612b54ce832fd593903c12c17a321b40ce1d7a54bb057fae813e81cd5a6539c01f72aa9e3ecf8787615fcdf830ba1b74352a22c01cfce863e65d2231594fca18e4f662ae166075d18226950fd018ff979bf5e76a234d19f950e1f0eef671b71dffefe733b0912e0939d51b79543bc51ffee962e75ca173bd1b70a786a497b3ca15e0f13d33d61978d7fbcd	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1756	regsvr32.exe
1756	regsvr32.exe
2560	rundll32.exe
2560	rundll32.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe
Token: 34	1524	WMIC.exe
Token: 35	1524	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1756	1968	WScript.exe	28
PID 1968 wrote to memory of 1756	1968	WScript.exe	28
PID 1968 wrote to memory of 1756	1968	WScript.exe	28
PID 1968 wrote to memory of 1756	1968	WScript.exe	28
PID 1968 wrote to memory of 1756	1968	WScript.exe	28
PID 1756 wrote to memory of 536	1756	regsvr32.exe	31
PID 1756 wrote to memory of 536	1756	regsvr32.exe	31
PID 1756 wrote to memory of 536	1756	regsvr32.exe	31
PID 536 wrote to memory of 2560	536	cmd.exe	33
PID 536 wrote to memory of 2560	536	cmd.exe	33
PID 536 wrote to memory of 2560	536	cmd.exe	33
PID 2560 wrote to memory of 1584	2560	rundll32.exe	34
PID 2560 wrote to memory of 1584	2560	rundll32.exe	34
PID 2560 wrote to memory of 1584	2560	rundll32.exe	34
PID 1584 wrote to memory of 1552	1584	cmd.exe	36
PID 1584 wrote to memory of 1552	1584	cmd.exe	36
PID 1584 wrote to memory of 1552	1584	cmd.exe	36
PID 2560 wrote to memory of 1524	2560	rundll32.exe	37
PID 2560 wrote to memory of 1524	2560	rundll32.exe	37
PID 2560 wrote to memory of 1524	2560	rundll32.exe	37
PID 2560 wrote to memory of 2904	2560	rundll32.exe	39
PID 2560 wrote to memory of 2904	2560	rundll32.exe	39
PID 2560 wrote to memory of 2904	2560	rundll32.exe	39
PID 2560 wrote to memory of 2008	2560	rundll32.exe	41
PID 2560 wrote to memory of 2008	2560	rundll32.exe	41
PID 2560 wrote to memory of 2008	2560	rundll32.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\statement[2023.10.11_08-07].vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" C://windows/Temp/0032-1.dll
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll,#1
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp >&2
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1552
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2904
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49a88d37fe6edf2064efaaf03aeb8dd9

SHA1
f0806098a9560b01ebf59a9dc757faac69d039ad

SHA256
22b02e92a8d160b1e5d342fa0ef41b8de0e9e237013e05c1721bd877ae5673b4

SHA512
71e5ac9f50e9376183b4dda8347978da7947f6cdb179cd710f4e71ba433f2b92ad34922565c8bfdb3e137366b1c4e481e8545f5a3b2f268f9e2d5de8fb76baf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82002185e2db330577075f3cc3af3964

SHA1
275a8f19a19c51810f2633d314d9ca163ef8c819

SHA256
2cdd22af15542f932b3fd3360f9cf727bfd57f6e40fe5586de5f955b50f32131

SHA512
aff2d29d1abc1d88777c4a30ce56ee10d5f4c4b749afeb354e2d7da689e342d267c5a8a4d9abab1c2ee1cf7246c13550b68d9aa10ff3160a66dc28f1f7285b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE542.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9510.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
C:\windows\Temp\0032-1.dll

Filesize
328KB

MD5
4b3c2e2d48aba0bd9134ed0e00141b20

SHA1
983d47177b89e60eb5b7ef44278488498fef1ca9

SHA256
1a1003809be62be21b86d24bb2f6917fa4bbdb189657ad266bfd5b7078a16811

SHA512
73a4cbb558c6dff738bd1455c951032941215dca01168663a7f1f571a4d25c1f4bf86d644a6fdb1e1309eed7f69a0224a4411fa34b017705a06b19cac513ef0b

Download Submit
\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
\Users\Admin\AppData\Roaming\Loibugbd2\nohukoacte2.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
\Windows\Temp\0032-1.dll

Filesize
328KB

MD5
4b3c2e2d48aba0bd9134ed0e00141b20

SHA1
983d47177b89e60eb5b7ef44278488498fef1ca9

SHA256
1a1003809be62be21b86d24bb2f6917fa4bbdb189657ad266bfd5b7078a16811

SHA512
73a4cbb558c6dff738bd1455c951032941215dca01168663a7f1f571a4d25c1f4bf86d644a6fdb1e1309eed7f69a0224a4411fa34b017705a06b19cac513ef0b

Download Submit
memory/1756-23-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/1756-21-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/1756-4-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/1756-3-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/2560-37-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-38-0x00000000001C0000-0x000000000020F000-memory.dmp

Filesize
316KB

Download
memory/2560-31-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-36-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-59-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-58-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-61-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-60-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-69-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/2560-30-0x00000000001C0000-0x000000000020F000-memory.dmp

Filesize
316KB

Download
memory/2560-108-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download