Analytics Story: IcedID

Date: 2021-07-29 ID: 1d2cc747-63d7-49a9-abb8-93aa36305603 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.

Why it matters

IcedId banking trojan campaigns targeting banks and other vertical sectors.This malware is known in Microsoft Windows OS targetting browser such as firefox and chrom to steal banking information. It is also known to its unique payload downloaded in C2 where it can be a .png file that hides the core shellcode bot using steganography technique or gzip dat file that contains "license.dat" which is the actual core icedid bot.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Account Discovery With Net App Domain Account, Account Discovery TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Remote System Discovery with Net Remote System Discovery Hunting
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Create Remote Thread In Shell Application Process Injection TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Disabling Defender Services Disable or Modify Tools, Impair Defenses TTP
Drop IcedID License dat User Execution, Malicious File Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data Hunting
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta TTP
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Share Discovery Via Dir Command Network Share Discovery Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Remote WMI Command Attempt Windows Management Instrumentation TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 TTP
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Sqlite Module In Temp Folder Data from Local System TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 PluginInit System Binary Proxy Execution, Rundll32 TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Group Discovery Via Net Permission Groups Discovery, Local Groups, Domain Groups Hunting
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Office Product Loading VBE7 DLL Phishing, Spearphishing Attachment Anomaly
Windows Office Product Spawned Uncommon Process Phishing, Spearphishing Attachment TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Sensitive Group Discovery With Net Permission Groups Discovery, Domain Groups Anomaly
Windows WMI Process Call Create Windows Management Instrumentation Hunting
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5140 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1