icedid | 93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3

General

Target

93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3_JC.vbs
Size

1012KB
MD5

4c985d2908c33310a62a43655daecd1a
SHA1

9cb3bc3f35e7b3ae8ffd9d65522391b1ee1ca816
SHA256

93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3
SHA512

d0970cae134b4450ae93cd15bf3a91c277503c9fa7700cd551498a0ccb3e9917508b3c30c218ff3363e19cce58e43594f2261f5aeb686041bb27fe7653cad35f
SSDEEP

6144:WcbBAYe11DSXXc6iD5mhg19cDproukuwHlqwYxTpu36+sFkA390SY1J5kdazfPgo:DK4gV1SAkTxTpsu3uJ2oyAUB/0

Score

10^/10

icedid 361893872 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

361893872

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 7 IoCs

flow	pid	Process
42	3964	rundll32.exe
43	3964	rundll32.exe
45	3964	rundll32.exe
47	3964	rundll32.exe
49	3964	rundll32.exe
57	3964	rundll32.exe
59	3964	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 3 IoCs

pid	Process
4076	regsvr32.exe
3964	rundll32.exe
4216	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{77C6D694-E92A-D702-B889-F88C503F6DD8}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{77C6D694-E92A-D702-B889-F88C503F6DD8}\ = 838d275cefba9cdfa61af89344b81736961452b013221d4ad8d77903298cb067e5ca3d38bbe096ce6bfbf28b819059c22a56fb86688a67017e7093824e7dddec4d1c2eafa9dfaee29a631ce37e5e7f19862a969caf21257425a80d7fb4c1b0aa22d2e08ca32074a1f6c0b86157435d3fb39d789d6aa25ceef5b842eb5371526663ae05fde828729c1d6028544ec38f254b44a651e7e96af79ea98db2e8fd285022cf974ca033385851a486b4898434c164f19721568d7bba037d56b805ff6ea18e7909f81ae7f870af9ea18831c0797edf8d18a0f2772a4023a1823dcd11c6552375d49ba21460ae08fa6c2512c17ab25be0fe652ebe6463ae853dc8d85aa0f47d3b40cf8a2656d23bbc1be3343c58d4e5929e9e	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4076	regsvr32.exe
4076	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4076	5028	WScript.exe	83
PID 5028 wrote to memory of 4076	5028	WScript.exe	83
PID 4076 wrote to memory of 1960	4076	regsvr32.exe	93
PID 4076 wrote to memory of 1960	4076	regsvr32.exe	93
PID 1960 wrote to memory of 3964	1960	cmd.exe	95
PID 1960 wrote to memory of 3964	1960	cmd.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3_JC.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" C://windows/Temp/0291-1.dll
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll,#1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll,#1
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Modifies registry class
      PID:3964

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll",#1
1⤵
- Loads dropped DLL
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
978941f4914e6a7648a4ce856004f60c

SHA1
4a61256d35fa686f053c4a3332381b01a80d1f74

SHA256
928a676a762a83b4f93d93e05f67fd213a115018b1b1c7345b234f5e10ece287

SHA512
50f5a78de0fb85e5a0301ab82550aa6e7f41bcc3f5b9c513b9a0cbcf1f7b6c954455006b9d486fc7fb2dc4e3b5653b0217e0c5312d90a29bf58923632b97acc5

Download Submit
C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll

Filesize
556KB

MD5
002c64d47bf8c0878ac8ec2b4740f682

SHA1
acc44c89420270083de7d67b025748a4b98071ed

SHA256
b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

SHA512
80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

Download Submit
C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll

Filesize
556KB

MD5
002c64d47bf8c0878ac8ec2b4740f682

SHA1
acc44c89420270083de7d67b025748a4b98071ed

SHA256
b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

SHA512
80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

Download Submit
C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll

Filesize
556KB

MD5
002c64d47bf8c0878ac8ec2b4740f682

SHA1
acc44c89420270083de7d67b025748a4b98071ed

SHA256
b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

SHA512
80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

Download Submit
C:\Windows\Temp\0291-1.dll

Filesize
328KB

MD5
18e3ba07f71f96cd6f174846f607bc4e

SHA1
6e263fec38683f76f5b8c5c53eea1b333d7dbd8f

SHA256
226faebe0332ae4972d6bbc0e99553b4875322fb4336dfe3e42462d4c3624e79

SHA512
33010f0eaef846be5143e30cd307c61c36e3c34c04ee4380539caa63dec62854a3a7881ef1881ecc38ff6680bdcafde98e175e218bb1e8b4cd197742f396929a

Download Submit
C:\windows\Temp\0291-1.dll

Filesize
328KB

MD5
18e3ba07f71f96cd6f174846f607bc4e

SHA1
6e263fec38683f76f5b8c5c53eea1b333d7dbd8f

SHA256
226faebe0332ae4972d6bbc0e99553b4875322fb4336dfe3e42462d4c3624e79

SHA512
33010f0eaef846be5143e30cd307c61c36e3c34c04ee4380539caa63dec62854a3a7881ef1881ecc38ff6680bdcafde98e175e218bb1e8b4cd197742f396929a

Download Submit
memory/3964-18-0x000002899B260000-0x000002899B2AC000-memory.dmp

Filesize
304KB

Download
memory/3964-13-0x000002899B260000-0x000002899B2AC000-memory.dmp

Filesize
304KB

Download
memory/3964-12-0x000002899B1C0000-0x000002899B20F000-memory.dmp

Filesize
316KB

Download
memory/3964-19-0x000002899B260000-0x000002899B2AC000-memory.dmp

Filesize
304KB

Download
memory/3964-20-0x000002899B1C0000-0x000002899B20F000-memory.dmp

Filesize
316KB

Download
memory/3964-26-0x000002899B260000-0x000002899B2AC000-memory.dmp

Filesize
304KB

Download
memory/3964-27-0x000002899B260000-0x000002899B2AC000-memory.dmp

Filesize
304KB

Download
memory/3964-29-0x000002899B260000-0x000002899B2AC000-memory.dmp

Filesize
304KB

Download
memory/4076-8-0x0000000000AB0000-0x0000000000ABD000-memory.dmp

Filesize
52KB

Download
memory/4076-4-0x0000000000AB0000-0x0000000000ABD000-memory.dmp

Filesize
52KB

Download
memory/4216-31-0x0000021D7D940000-0x0000021D7D98F000-memory.dmp

Filesize
316KB

Download
memory/4216-32-0x0000021D7DB00000-0x0000021D7DB4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing