icedid | d0869ecff3322c6bc1c1d7cdbafa4425ed30f06ffa405f2a813d1231b0a86c60

Analysis

max time kernel
151s
max time network
188s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
01-04-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0869ecff3322c6bc1c1d7cdbafa4425ed30f06ffa405f2a813d1231b0a86c60.msi
Size

1.1MB
MD5

fc55f67e162226b3a95a8dd1aac2e710
SHA1

aa3a9a40c5dcfbac8a89ff2b466d09439d78b9f1
SHA256

d0869ecff3322c6bc1c1d7cdbafa4425ed30f06ffa405f2a813d1231b0a86c60
SHA512

83bf848ad2506cb0498a1f6159cae1003c3f998b657e9d8b40d012cbbc8eaf57440d1969348dd41a1e9f37b50d5e4707bced446b30b9bafb400ba8045210b534
SSDEEP

24576:QHL0e3k4usYYqbczfGtm4fSpHZ4LHpt0:Qr0e3kFzczfKmUSpgY

Score

10^/10

icedid 2564808981 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2564808981

statifaronta.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	4800	msiexec.exe
4	4800	msiexec.exe
6	4800	msiexec.exe
8	4800	msiexec.exe
13	4800	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5717.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5717.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5717.tmp-\WixSharp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e585484.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E72A1E5A-06AE-4ED4-BFE6-9268D8D82C90}	msiexec.exe
File created	C:\Windows\Installer\e585486.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5717.tmp-\test.cs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5717.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\e585484.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5639.tmp	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
4720	MsiExec.exe
2164	rundll32.exe
1716	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2824	msiexec.exe
2824	msiexec.exe
1716	rundll32.exe
1716	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4800	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeCreateTokenPrivilege	4800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4800	msiexec.exe
Token: SeLockMemoryPrivilege	4800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4800	msiexec.exe
Token: SeMachineAccountPrivilege	4800	msiexec.exe
Token: SeTcbPrivilege	4800	msiexec.exe
Token: SeSecurityPrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeLoadDriverPrivilege	4800	msiexec.exe
Token: SeSystemProfilePrivilege	4800	msiexec.exe
Token: SeSystemtimePrivilege	4800	msiexec.exe
Token: SeProfSingleProcessPrivilege	4800	msiexec.exe
Token: SeIncBasePriorityPrivilege	4800	msiexec.exe
Token: SeCreatePagefilePrivilege	4800	msiexec.exe
Token: SeCreatePermanentPrivilege	4800	msiexec.exe
Token: SeBackupPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeShutdownPrivilege	4800	msiexec.exe
Token: SeDebugPrivilege	4800	msiexec.exe
Token: SeAuditPrivilege	4800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4800	msiexec.exe
Token: SeChangeNotifyPrivilege	4800	msiexec.exe
Token: SeRemoteShutdownPrivilege	4800	msiexec.exe
Token: SeUndockPrivilege	4800	msiexec.exe
Token: SeSyncAgentPrivilege	4800	msiexec.exe
Token: SeEnableDelegationPrivilege	4800	msiexec.exe
Token: SeManageVolumePrivilege	4800	msiexec.exe
Token: SeImpersonatePrivilege	4800	msiexec.exe
Token: SeCreateGlobalPrivilege	4800	msiexec.exe
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4800	msiexec.exe
4800	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4444	2824	msiexec.exe	77
PID 2824 wrote to memory of 4444	2824	msiexec.exe	77
PID 2824 wrote to memory of 4720	2824	msiexec.exe	79
PID 2824 wrote to memory of 4720	2824	msiexec.exe	79
PID 4720 wrote to memory of 2164	4720	MsiExec.exe	80
PID 4720 wrote to memory of 2164	4720	MsiExec.exe	80
PID 2164 wrote to memory of 1716	2164	rundll32.exe	81
PID 2164 wrote to memory of 1716	2164	rundll32.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d0869ecff3322c6bc1c1d7cdbafa4425ed30f06ffa405f2a813d1231b0a86c60.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4444
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 5EBA130CA8CD65942BCAB962DB4ABF56
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5717.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670656 2 test.cs!NSABX.GGMLP.XNPNKL
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\MSIb1dea595.msi",init
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e585485.rbs

Filesize
8KB

MD5
24eccbc8f6b895a3722e63de0d8f8efb

SHA1
155caf2498dd8f70fb279df8522d616a1543cf9d

SHA256
a42c0a312c3f55d94c4106a08194dee6c23e9a436b1bff67892edbb817f64176

SHA512
8741ba396a1b73084669ce5a43b0e270f38295b5f5c51f0199bc748c1e3b1e6ab43702e6c46aec5a907469245a345034ef58ea60cb0eafffe9bf2de94d730984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
719B

MD5
28bc19a7cc607d718102b84fc9f09871

SHA1
39d1445b8267f6c64398dbdc3b36cb8bf61779ee

SHA256
2182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d

SHA512
dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E

Filesize
1KB

MD5
6f9f3a03af8c0c165944f9bf82aa6edf

SHA1
69ceee6cc3cac7bfcd9ad142c5f10eb061824f9d

SHA256
d0f53e97b28a67869526fe27d284d292bfcf1ac36e7d1869165fc3e9b08d4f0a

SHA512
081a26310d2b6e5f5bdd4e888c7d1af9c5d06a6cb9a306dacfb7b81bb916744f5dee818a32cc206e28d37622ee034bb2e28f1b82eb99462b0df75fa443eccf3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D682FDDA10064185EC8111DC39DBA8EC

Filesize
61KB

MD5
9200192b796fed827e6c07496fc51a60

SHA1
e32e0df7df10e21ab5983c13a8c36febac265eee

SHA256
5235e39c84ddc4b79c39f0e0b325109d48bdf7288db2186b0d642b93093784b3

SHA512
fe960af63bb9f5a6b56cba4b900121d16c862c0c2b4b8a0feffde35e7adcd5493966092a9ef3154b5e1544ec4513ab08933528414cc815229a568a1f4662c062

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
446B

MD5
29e1f0924032aacc22032e04f2a105a4

SHA1
0a0dec3679d2fcd5227bcd655972c7b5c04940d3

SHA256
3fc3f9d32e0f59976f4ea2746d361c5e3b004bb8db1f27aa7b90e882a5fe78fe

SHA512
2c734163f28813b1abf30c6e1f09f14ac219219ec26fd1ca4fc29c07b2d27247fc00ce1a1fb42a5538b5f4beae03b580ea5e969970bc9922dccf3b81d7189186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E

Filesize
406B

MD5
88812b5b6657828cb09e341f945eba21

SHA1
d9bbdf464a20863ec89f42286506a34cd007b7ae

SHA256
58408ef5a90b9e8687328961a6e2d1a92feb7c20383c22d083ab3c4dde6b474f

SHA512
8cafc3ec51d6c613b8ab8c527ac642b8844abbb62ae734f3de4196a58684320c8f7698cbe27b973feb37bcc9f077072277e5bf5ead97c9f53a1e74067335eff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC

Filesize
308B

MD5
8caf8b9578aa1158d4170ca0f9598446

SHA1
dccfc2422e1570b66e464e46bb0d081f0fceb4b3

SHA256
62248c588b8900c54744a4a2925a6046e703197d987404e2799d7963b572fa6f

SHA512
c8dc2cf3700736629188dd180bfa439f9801b873df015464a6d42d7ea7b3f61307d3c061b1c1b2b6bc732b36afd56cc837537d01cb678cf6ff6297d769eccc40

Download Submit
C:\Users\Admin\AppData\Local\MSIb1dea595.msi

Filesize
646KB

MD5
dfaaf702617758487532bc9cd2a7d356

SHA1
0dfd82d2943b12771164b3980c102e3e00b21f70

SHA256
7b685ee2e18f37b07a399452823906151a01dc8ddc1919622533933da62c7749

SHA512
997cb6c933591e864a72585d98ae18f1e3af80ceb2b0947c09227012a88042c052ea13447f1edcc425143cb663f0ae5764310fc8bfc9706cd30bf39585a8ae82

Download Submit
C:\Windows\Installer\MSI5717.tmp

Filesize
413KB

MD5
a5fd0398b4f7d63297ffb0f368ad7438

SHA1
fd47c421627e766d6740bd24eeba1d4ea1829034

SHA256
4b2ef292a663f221e8b9e4bec787a299150ef5b4b33a6b43e2321d81aa1d8d95

SHA512
722441e955202e1f30747facd78f32d7d3c17a740e6f0421e024369b552b39d1210421c89cf93a3dca297a010fa9b18574a4c7f9b0eeb2eddbb7ff2713482160

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
b1b65e1a9cfb792baf06b4cace93b53f

SHA1
a0c4a1300bf13059ecaf5754e7d59a382da26847

SHA256
c5e5b293a4bd9e5e7deb2c293ca3885cb5dffcacafe5b7b0ea7f7091e5b7aafd

SHA512
d5a7359ba693903a77586188de259c308bb563efcbadb5367b11a3d1434b3dd8d481f4b73fbc8d74e4f2d879db7d74f407dc4ddfa9bcf5e57162c680c83db138

Download Submit
\??\Volume{357a2a78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c246fa17-a263-44b2-8073-289b28f05c08}_OnDiskSnapshotProp

Filesize
5KB

MD5
fd4eefed80b16ff613ef204bf81be847

SHA1
e068471338056270eb49772c5ef71de7e5f521de

SHA256
b5e747b44142506473f9a14f367dbced3ad43e29381a10b0406109f48973968f

SHA512
c87743c2f48f3e50927d16e2635f985611429482f652b6940be2d8c0de8eeef48835d73702882a588c51d6a6ad2e924b0c2ca24bdee8487d063ecdd5244abb34

Download Submit
memory/1716-110-0x000001FAAF8F0000-0x000001FAAF8F4000-memory.dmp

Filesize
16KB

Download
memory/1716-96-0x000001FAAF8F0000-0x000001FAAF8F4000-memory.dmp

Filesize
16KB

Download
memory/1716-99-0x000001FAAF900000-0x000001FAAF909000-memory.dmp

Filesize
36KB

Download
memory/2164-71-0x00000121F07E0000-0x00000121F07F0000-memory.dmp

Filesize
64KB

Download
memory/2164-74-0x00000121F07E0000-0x00000121F07F0000-memory.dmp

Filesize
64KB

Download
memory/2164-75-0x00000121F07E0000-0x00000121F07F0000-memory.dmp

Filesize
64KB

Download
memory/2164-73-0x00000121F07E0000-0x00000121F07F0000-memory.dmp

Filesize
64KB

Download
memory/2164-94-0x00007FFAB95E0000-0x00007FFAB9FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-72-0x00000121F07E0000-0x00000121F07F0000-memory.dmp

Filesize
64KB

Download
memory/2164-70-0x00007FFAB95E0000-0x00007FFAB9FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-69-0x00000121F06D0000-0x00000121F0740000-memory.dmp

Filesize
448KB

Download
memory/2164-67-0x00000121D80B0000-0x00000121D80BA000-memory.dmp

Filesize
40KB

Download
memory/2164-62-0x00000121D80E0000-0x00000121D810E000-memory.dmp

Filesize
184KB

Download