icedid | 0fb7388c69ef9d2d892e6edc7eff8c86ce6f6659c88d347234acaa1a382e22ba

Analysis

max time kernel
1136s
max time network
1137s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
14-02-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db7cd6d0f75ddf78e0e6e09119d9071df07b50ef3f5289d474921adba4f35047.iso
Size

2.1MB
MD5

bdd4128c92d89cccfc0ac99c04a2a7bd
SHA1

8a10896b54bc29bebd08e791a9c9de294c01913a
SHA256

db7cd6d0f75ddf78e0e6e09119d9071df07b50ef3f5289d474921adba4f35047
SHA512

390c9810a6aa3f0c387ef4a20d463c69db0e689b6a2226846a5ca4d66a4759d7ad14551a844589d1df4a9b8e1f10eaf28953005b687b5c20911a36b4e4238073
SSDEEP

12288:UiHw0sbzwD4FwpH5qCwfwM+A5n5RwUwjwEQwJw+wXcdwnTwuwJwxewGw90wHwMwk:UV

Score

10^/10

icedid 612758225 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

612758225

pildofraften.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

356 rundll32.exe
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.execmd.exe

description ioc process

File opened (read-only) \??\E: cmd.exe
File opened (read-only) \??\E: cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

356 rundll32.exe
356 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 292 cmd.exe
Token: SeManageVolumePrivilege 292 cmd.exe

pid	process
356	rundll32.exe

description	ioc	process
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1364394410-760759377-2797241167-1000_Classes\Local Settings	cmd.exe

pid	process
356	rundll32.exe
356	rundll32.exe

description	pid	process
Token: SeManageVolumePrivilege	292	cmd.exe
Token: SeManageVolumePrivilege	292	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4552 wrote to memory of 1316	4552	cmd.exe	xcopy.exe
PID 4552 wrote to memory of 1316	4552	cmd.exe	xcopy.exe
PID 4552 wrote to memory of 356	4552	cmd.exe	rundll32.exe
PID 4552 wrote to memory of 356	4552	cmd.exe	rundll32.exe
PID 1400 wrote to memory of 3276	1400	cmd.exe	xcopy.exe
PID 1400 wrote to memory of 3276	1400	cmd.exe	xcopy.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\db7cd6d0f75ddf78e0e6e09119d9071df07b50ef3f5289d474921adba4f35047.iso
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\hey\twelfth.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\system32\xcopy.exe
  xcopy /s /i /e /h hey\superstring.dll C:\Users\Admin\AppData\Local\Temp\*
  2⤵
  PID:1316
- C:\Windows\system32\rundll32.exe
  rundll32 C:\Users\Admin\AppData\Local\Temp\superstring.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\hey\twelfth.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\system32\xcopy.exe
  xcopy /s /i /e /h hey\superstring.dll C:\Users\Admin\AppData\Local\Temp\*
  2⤵
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\superstring.dll

Filesize
728KB

MD5
293b6dc3360e7be05e35e28cc4201e47

SHA1
7d2877e3eedd5b8d366b2fe44a117a9111c3d30a

SHA256
645e011080488d4f5c14d217f5571372e7939c50a3568021cf9d434cf6f5f439

SHA512
fb9222361b530d8a279a8e1a6342b3f71f4de9674e1f904608a86e43b6641e07a8afcfd77df0ec4c7d8f4801b408fe10be20a8cc29b3f972287ff948674c881d

Download Submit
memory/356-5-0x000002D08DA70000-0x000002D08DA76000-memory.dmp

Filesize
24KB

Download
memory/356-6-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download