icedid | 12a8c191d20c1f29213eca2789ac26feef1aa927f31758adefd0db768e35a3f3

General

Target

69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll
Size

70KB
MD5

3f031c12c95a4b52b74e08d4b0d76830
SHA1

3a6443c08d8233b4e62e3ab47950061620225e75
SHA256

69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2
SHA512

ab271d995c7de00466cd8a84dc5f63b25ec866bd0c61ba0decfaa951091718bf9a35412b7b14ec046fb131d7641bcb73486f524820fd9d3d29413ce03a2e2d71
SSDEEP

1536:iXUu70LgnxWl7f/3jWCgiMthg8Mi3lHg9gIgmfgCjMiAOqTu/+vXWPbge96Lr4hH:iwL6W5fPKCNAXMixmHBfFzmu/mAbgwzh

Score

10^/10

icedid 497724135 banker loader trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

icedid

Campaign

497724135

C2

ovedfromasi.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4080	4672	rundll32.exe	82

Blocklisted process makes network request 1 IoCs

flow	pid	Process
22	4080	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4672	EXCEL.EXE
4672	EXCEL.EXE
4080	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4672	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	rundll32.exe
4080	rundll32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE
4672	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4080	4672	EXCEL.EXE	86
PID 4672 wrote to memory of 4080	4672	EXCEL.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 C:\Users\Admin\JetBrainsdotK.dll , DllGetClassObject
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2.xll

Filesize
70KB

MD5
3f031c12c95a4b52b74e08d4b0d76830

SHA1
3a6443c08d8233b4e62e3ab47950061620225e75

SHA256
69e2bc37da2c8a6f25fce37a024aca628f8216cb0ddcf70e1e55766eae011bf2

SHA512
ab271d995c7de00466cd8a84dc5f63b25ec866bd0c61ba0decfaa951091718bf9a35412b7b14ec046fb131d7641bcb73486f524820fd9d3d29413ce03a2e2d71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
fdf69aba5137783beae38241a86a9503

SHA1
904a1b3b90a72a8abf2265aae7b7a2ede81f18dc

SHA256
3121babdcff0c2e3ded69bebeda4f4d85bb0973226a9521393c49038c525a015

SHA512
d029ad3107f445c9feb140b3cbaefec86c3740908a2ebc558fb9391b67996f573f46ea7bc49c8249b3789fdad0541058da42efb9f592af40a233dcafad6514f2

Download Submit
C:\Users\Admin\JetBrainsdotK.dll

Filesize
38KB

MD5
e0eb5ee1877137874ffa2da89ea711a4

SHA1
7be7d4eab05c0070ece0ca1e54b183829b227588

SHA256
33656b2710aa5d69afa7402f050b8f812923743f86a5bf4d1f22f8ce29be7179

SHA512
ca47e2a86edecffa9c6250d98750f7a49530dbea2bcff74678ab43d38410b2b3fdf8ea5b69bc656472ab3915fd225ff5ade64b3699d182075ed94155a56ec215

Download Submit
memory/4080-47-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4080-34-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4080-33-0x00000247DC200000-0x00000247DC263000-memory.dmp

Filesize
396KB

Download
memory/4672-7-0x00007FFA751D0000-0x00007FFA751E0000-memory.dmp

Filesize
64KB

Download
memory/4672-1-0x00007FFAB51ED000-0x00007FFAB51EE000-memory.dmp

Filesize
4KB

Download
memory/4672-9-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-8-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-10-0x00007FFA72C40000-0x00007FFA72C50000-memory.dmp

Filesize
64KB

Download
memory/4672-11-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-12-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-15-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-14-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-13-0x00007FFA72C40000-0x00007FFA72C50000-memory.dmp

Filesize
64KB

Download
memory/4672-16-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-6-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-5-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-0-0x00007FFA751D0000-0x00007FFA751E0000-memory.dmp

Filesize
64KB

Download
memory/4672-2-0x00007FFA751D0000-0x00007FFA751E0000-memory.dmp

Filesize
64KB

Download
memory/4672-35-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-36-0x00007FFAB51ED000-0x00007FFAB51EE000-memory.dmp

Filesize
4KB

Download
memory/4672-37-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-38-0x00007FFAB5150000-0x00007FFAB5345000-memory.dmp

Filesize
2.0MB

Download
memory/4672-4-0x00007FFA751D0000-0x00007FFA751E0000-memory.dmp

Filesize
64KB

Download
memory/4672-3-0x00007FFA751D0000-0x00007FFA751E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads