Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-07-29
- Author: Teoderick Contreras, Splunk
- ID: 1d2cc747-63d7-49a9-abb8-93aa36305603
Narrative
IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains “license.dat” which is the actual core icedid bot.
Detections
| Name |
Technique |
Type |
| Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
| CHCP Command Execution |
Command and Scripting Interpreter |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Create Remote Thread In Shell Application |
Process Injection |
TTP |
| Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
TTP |
| Drop IcedID License dat |
User Execution, Malicious File |
Hunting |
| Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| IcedID Exfiltrated Archived File Creation |
Archive via Utility, Archive Collected Data |
Hunting |
| Mshta spawning Rundll32 OR Regsvr32 Process |
Signed Binary Proxy Execution, Mshta |
TTP |
| NLTest Domain Trust Discovery |
Domain Trust Discovery |
TTP |
| Office Application Spawn Regsvr32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Regsvr32 with Known Silent Switch Cmdline |
Signed Binary Proxy Execution, Regsvr32 |
Anomaly |
| Rundll32 Create Remote Thread To A Process |
Process Injection |
TTP |
| Rundll32 CreateRemoteThread In Browser |
Process Injection |
TTP |
| Rundll32 DNSQuery |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Process Creating Exe Dll Files |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
| Sqlite Module In Temp Folder |
Data from Local System |
TTP |
| Suspicious IcedID Rundll32 Cmdline |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Rundll32 PluginInit |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Reference
source | version: 1