Analytics Story: IcedID

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.

Why it matters

IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains "license.dat" which is the actual core icedid bot.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Disable Defender MpEngine Registry Disable or Modify Tools TTP
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 Process Creating Exe Dll Files Rundll32 TTP
Drop IcedID License dat Malicious File Hunting
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Windows PUA Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
Network Share Discovery Via Dir Command Network Share Discovery Hunting
Suspicious Rundll32 PluginInit Rundll32 TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Sqlite Module In Temp Folder Data from Local System TTP
Suspicious IcedID Rundll32 Cmdline Rundll32 TTP
Disable Defender Enhanced Notification Disable or Modify Tools TTP
IcedID Exfiltrated Archived File Creation Archive via Utility Hunting
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Powershell Using memory As Backing Store PowerShell TTP
Disabling Defender Services Disable or Modify Tools TTP
Eventvwr UAC Bypass Bypass User Account Control TTP
Regsvr32 with Known Silent Switch Cmdline Regsvr32 Anomaly
Suspicious Copy on System32 Rename Legitimate Utilities Anomaly
Disable Defender Spynet Reporting Disable or Modify Tools TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Suspicious Rundll32 dllregisterserver Rundll32 TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Powershell Processing Stream Of Data PowerShell Anomaly
Windows Sensitive Group Discovery With Net Domain Groups Anomaly
Rundll32 DNSQuery Rundll32 TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
FodHelper UAC Bypass Modify Registry, Bypass User Account Control TTP
Suspicious Regsvr32 Register Suspicious Path Regsvr32 TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Windows Uncommon Remote Thread Creation In Browser Process Dynamic-link Library Injection Anomaly
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Disable Schedule Task Disable or Modify Tools Anomaly
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools TTP
Mshta spawning Rundll32 OR Regsvr32 Process Mshta TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
RunDLL Loading DLL By Ordinal Rundll32 TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Wmic NonInteractive App Uninstallation Disable or Modify Tools Hunting
Disable Defender AntiVirus Registry Disable or Modify Tools TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Create Remote Thread In Shell Application Process Injection TTP
Network Connection Discovery With Arp System Network Connections Discovery Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5140 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References


Source: GitHub | Version: 2