# Detecting IcedID... Could It Be A Trickbot Copycat? **[splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html](https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html)** SECURITY November 4, 2021 By [Splunk Threat Research Team November 04, 2021](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) IcedID is a [banking trojan, it is designed to be stealthy and built to collect financial information.](https://www.investopedia.com/terms/b/banker-trojan.asp) IcedID harvests user credentials and banking sessions to commit financial crimes, including carding, money laundering, and transferring of funds to foreign financial institutions. In recent research published by Splunk Threat Research Team (STRT) the inclusion of cryptocurrency exchange ----- [information was also included by Trickbot in the web inject code. IcedID shares many of the same](https://www.splunk.com/en_us/blog/security/detecting-trickbots.html) [payloads featured in Emotet or](https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action) [Trickbot and in some cases, IcedID has been observed downloading](https://securityintelligence.com/news/banking-trojans-trickbot-and-iceid-partner-for-distribution-and-development/) Emotet or Trickbot, as a way to provide operators a way to use diverse carriers as well. IcedID targets financial institutions across different countries including banks, payment card providers, and e-commerce sites. IcedID has also been observed deployed in conjunction with other [malware payloads such as Valak,](https://blogs.infoblox.com/cyber-threat-intelligence/valak-downloader-infostealer-delivers-icedid-banking/) [Qakbot,](https://www.bleepingcomputer.com/news/security/qbot-malware-is-back-replacing-icedid-in-malspam-campaigns/) [Conti Ransomware. It is clear from studying past](https://thedfirreport.com/2021/05/12/conti-ransomware/) campaigns that the actors behind IcedID have expanded beyond banking information in order to extend similar features and coverage as other popular carriers such as Emotet or trickbot and by doing so current iterations of IcedID look more like a copycat or maybe even a successor. ## Spear Phishing Documents In a [recent campaign, malicious actors were observed using a document builder to simulate](https://www.jdsupra.com/legalnews/docusign-alert-new-malicious-hacking-5278845/) [legitimate DocuSign documents and embedding exploitation code for CVE-2017-8570 to trigger the](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-8570) installation of IcedID. These documents were delivered via spear-phishing technique. Below is the screenshot of the phishing campaign (Word and Excel) that will download the IcedID downloader as soon as the user runs the malicious macro document in the targeted host. ----- This malicious document will download the IcedID loader then drop it as a “.sys” or “.jpg” file and execute it using regsvr32.exe windows application with “-s” parameter like the screenshot below. ----- Other exploitation vectors include running an obfuscated HTML application (.hta) to download the DLL loader as a .jpg file then execute it with rundll32.exe windows application with the “PluginInit” parameter. Below is the screenshot of the macro code that executes the .hta file and the deobfuscated .hta script shows how it downloads and executes the first payload. ----- ## IcedID Initial Downloader (Stage 1) The initial IceID loader binary will decrypt another .dll file in memory to download the 2nd stage payload (png or .dat) files. This is done by initially connecting to aws.amazon.com to check the internet connection and to prepare its initial C2 communication. ----- ## IcedID Payload Loader - PhotoLoader and “License.dat” decrypter) (Stage 2) Once the second stage payload is downloaded, It will load a shellcode or headless executable file which is the main IcedID bot. This shellcode can be extracted either in .png file format (payload obfuscated by steganography) or gzip payload format containing a “license.dat” file. The next code snippet below shows the .dll in memory locating the .png payload in a randomly generated directory based on the user name of the compromised machine created in either %appdata% or “C:\Programdata”. If the .png file payload is found in either of those two folder paths, it will decrypt the shellcode from the image file if not it tries to download from the C&C server. For the gzip file, It uses a similar code to locate the “license.dat” payload, aside from having an additional parameter check “/i” in the syntax line, as seen in the screenshot below. ----- ## IcedID .PNG Steganography and “License.dat” Payload The PNG payload uses steganography to hide the shellcode inside the PNG. The encrypted shellcode and the 8 bytes rc4 decryption keys are placed in the IDAT chunk type structure of the [PNG header file. A python script was developed (IceIdPNGShellcodeExtractor.py) to automatically](https://github.com/tccontre/KnowledgeBase/tree/main/malware_re_tools/iceid_stego_shell_decryptor) extract the shellcode on the said payload. For the “license.dat” IcedID payload, it will decrypt it using its customized decryption algorithm using its last 16 bytes as the decryption key. In this case, the [IceIdDecrypt.py tool can be used to decrypt](https://github.com/BinaryDefense/IcedDecrypt) license.dat and do a static analysis of the file. ## IcedID Core/Main Bot (Stage 3) The shellcode or the core IcedID BOT will be injected in either spawned svchost.exe system processor in msiexec.exe or within the memory space of a rundll32 process that loads the .dll shellcode decryptor. After that, it will hook some native API, create a mutex as a mark of its infection, and make sure only one instance is running. Below are other notable behaviors seen in this main bot. ### Hook Browser: This shellcode will try to hook common browsers like firefox and chrome to steal credentials, cookies, and sessions saved. The screenshot below shows what it looks like in firefox and chrome browsers in the compromised machine. ### Desktop Screenshots: This code displays the ability to take screenshots of the desktop window of the compromised host. This bitmap image file format will be saved in the temp folder with a .tmp file extension to blend on normal .tmp files activities. ----- ### Passff.tar and cookie.tar It will also create files named “passff.tar” for the browser history and “cookie.tar” for the browser cookies that may contain stolen browser information. ### Stealing Browser Information IcedID will also download and load a “sqlite64.dll” in the %temp% folder that will be needed for parsing firefox and chrome browser database to extract information. Below are SQLite commands decrypted in the shellcode to harvest autofill information from browser .db like cookies, password, company_name, street_address, city, state, zip code, country_code, phone number, user full name, and credit card information. SELECT host_key, path, is_secure, (case expires_utc when 0 then 0 else (expires_utc / 1000000) - 11644473600 end), name, length(encrypted_value), encrypted_value FROM cookies ----- SELECT name, value FROM autofill SELECT guid, company_name, street_address, city, state, zipcode, country_code FROM autofill_profiles SELECT guid, number FROM autofill_profile_phones SELECT guid, first_name, middle_name, last_name, full_name FROM autofill_profile_names SELECT card_number_encrypted, length(card_number_encrypted), name_on_card, expiration_month || "/" ||expiration_year FROM credit_cards SELECT origin_url,username_value,length(password_value),password_value FROM logins WHERE username_value <> '' SELECT host, path, isSecure, expiry, name, value FROM moz_cookies SELECT fieldname, value FROM moz_formhistory ### UAC Bypass The following are two functions to Bypass UAC (User Account Control). The Eventvwr and the fodhelper UAC bypass technique. ### Harvest Email/Outlook Information and Browser Password Storage Exfiltration tasks also include querying several registry keys related to email client Microsoft Outlook to steal user profiles, email signatures, and stored password folders through registry and ActiveMail Partners “%u” is the outlook version installed in the machine ----- HKCU\Software\Microsoft\Office\%u.0\Outlook\Profiles HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKCU\Software\Microsoft\ActiveSync\Partners HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 ### Recon AV Product The following PowerShell commands detect Antivirus Product information. WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List ### Other Execution and RemoteThread Execution We also found chcp command execution and passage of the result to a created pipe. The result of this command line may give the locale country region of the compromised host base on its result. For example, the 437 result means “default code page in the US”. Another regsvr32 execution with “/s” parameter to execute DLL payload downloaded from its C2 server, copy of itself or decrypted DLL that was dropped in the compromised host. Code injection into a cmd.exe process. ----- ## Persistence IcedID creates a scheduled task entry to download the file that will decrypt and load the license.dat file using a process spawned via the Rundll32 application, as seen in the screenshot below. In addition to using scheduled tasks for spawning processes, the main bot is also capable of creating a regrun entry for its DLL payload using SHSetValueA API. This will ensure that the DLL will be loaded every time a user logs on. ## Create Self Signed Certificate IcedID will also add certificates into the certificate store that will be saved in the %temp% folder as part of its possible proxy communication to its C2 server bound to IP 127.0.0.1 port 54245. The screenshot below shows the decrypted certificate format that IcedID will add to the certificate store in a .tmp file. This proxy function also compliments the web inject vector as an alternative way to capture traffic and credentials. ----- The screenshot below shows how IcedID setup proxy from IP 127.0.0.1 port 54245 by listening on the created socket relative to the IP and port mentioned above. The following are several detection methods created by STRT to address IcedID. All these detections are encompassed in an Analytic story released in our content updates. ## Detections ----- Suspicious Rundll32 Plugininit (New) | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*PluginInit* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` Suspicious IcedID Rundll32 Cmdline (New) | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*/i:* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ----- Rundll32 DNSQuery (New) `sysmon` EventCode=22 process_name="rundll32.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus ProcessId direction Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ----- Rundll32 Process Creating Exe Dll Files (New) `sysmon` EventCode=11 process_name="rundll32.exe" TargetFilename IN ("*.exe", "*.dll",) | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename ProcessGuid dest user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ----- Suspicious IcedID Regsvr32 Cmdline (New) | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=regsvr32.exe Processes.process=*-s* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` Rundll32 CreateRemoteThread In-Browser (New) ----- `sysmon` EventCode=8 SourceImage = "*\\rundll32.exe" TargetImage IN ("*\\firefox.exe", "*\\chrome.exe") | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage TargetProcessId SourceProcessId StartAddress EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` Office Application Spawn Regsvr32 process (new) ----- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name = "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name = "outlook.exe") Processes.process_name=regsvr32.exe by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` Recon AVProduct Through Pwh or WMI (Modified) `powershell` EventCode=4104 (Message = "*SELECT*" OR Message = "*WMIC*") AND (Message = "*AntiVirusProduct*" OR Message = "*AntiSpywareProduct*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` ----- CHCP Command Execution (New) | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com Processes.parent_process_name = cmd.exe Processes.parent_process=*/c* by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` Create Remote Thread In Shell Application (New) ----- `sysmon` EventCode=8 TargetImage IN ("*\\cmd.exe", "*\\powershell*") | stats count min(_time) as firstTime max(_time) as lastTime by TargetImage TargetProcessId SourceProcessId EventCode StartAddress SourceImage Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` Drop IcedID License.dat (New) `sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` IcedID Exfiltrated Archived File Creation (New) ----- `sysmon` EventCode= 11 (TargetFilename = "*\\passff.tar" OR TargetFilename = "*\\cookie.tar") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` SQLite Module In Temp Folder (New) `sysmon` EventCode= 11 (TargetFilename = "*\\sqlite32.dll" OR TargetFilename = "*\\sqlite64.dll") (TargetFilename = "*\\temp\\*") |stats count min(_time) as firstTime max(_time) as lastTime by process_name TargetFilename EventCode ProcessId Image process_id process_name Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` **Detection** **Techniques** **ID** **Tactics** **Description** **Defense Tactics &** **Techniques** ----- Previously seen [command line](https://github.com/splunk/security_content/blob/develop/baselines/previously_seen_command_line_arguments.yml) arguments (Existing) Eventvwr UAC Bypass (Existing) FodHelper UAC Bypass (Existing) Mshta spawning [Rundll32 OR](https://github.com/splunk/security_content/blob/develop/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml) Regsvr32 Process (Existing) [T1059](https://attack.mitre.org/techniques/T1059/) Execution Detects for command line arguments where `cmd.exe /c` is used to execute a program [T1548.002](https://attack.mitre.org/techniques/T1548/002/) Privilege Escalation, Defense Evasion [T1548.002](https://attack.mitre.org/techniques/T1548/002/) Privilege Escalation, Defense Evasion [T1218.005](https://attack.mitre.org/techniques/T1218/005/) Defense Evasion Detects uac bypass using eventvwr Detects uac bypass using fodhelper Detects suspicious child process of mshta parent process Detect [D3-SEA](https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis) Script Execution Analysis Detect: [D3-ANET /](https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding) [D3-AZET](https://d3fend.mitre.org/technique/d3f:AuthorizationEventThresholding) Authentication/Authorization Event Thresholding Detect: [D3-ANET /](https://d3fend.mitre.org/technique/d3f:AuthenticationEventThresholding) [D3-AZET](https://d3fend.mitre.org/technique/d3f:AuthorizationEventThresholding) Authentication/Authorization Event Thresholding Detect: Dynamic Analysis [D3-FAPA](https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis) File Access Pattern [D3-PSA](https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis) Process Spawn Analysis ----- Office Application [Spawn rundll32](https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_application_spawn_rundll32_process.yml) process (Existing) Office Document [Executing Macro](https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_document_executing_macro_code.yml) Code (Existing) [T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial Access Detects suspicious rundll32 child process of MS office application [T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial Access Detects suspicious MS office app running macro code Detect: File Analysis [D3-DA](https://d3fend.mitre.org/technique/d3f:DynamicAnalysis) Identifier Analysis [D3-HD](https://d3fend.mitre.org/technique/d3f:HomoglyphDetection) URL Analysis [D3-UA](https://d3fend.mitre.org/technique/d3f:URLAnalysis) Message Analysis Sender MTA Reputation [D3-SMRA](https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis) Sender Reputation [D3-SRA](https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis) Detect: File Analysis [D3-DA](https://d3fend.mitre.org/technique/d3f:DynamicAnalysis) Identifier Analysis [D3-HD](https://d3fend.mitre.org/technique/d3f:HomoglyphDetection) URL Analysis [D3-UA](https://d3fend.mitre.org/technique/d3f:URLAnalysis) Message Analysis Sender MTA Reputation [D3-SMRA](https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis) Sender Reputation [D3-SRA](https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis) ----- Office Product Spawning MSHTA (Existing) Registry Keys Used For Persistence (Existing) Schedule Task with [Rundll32 Command](https://github.com/splunk/security_content/blob/develop/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml) Trigger (Existing) [T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial Access Detects suspicious mshta child process of MS office application [T1547.001](https://attack.mitre.org/techniques/T1547/001/) Persistence, Privilege Escalation [T1053](https://attack.mitre.org/techniques/T1053/) Execution, Persistence, Privilege Escalation Detects modifications to registry keys that can be used to launch an application or service at system startup Detects suspicious scheduled task with rundll32 command Detect: File Analysis [D3-DA](https://d3fend.mitre.org/technique/d3f:DynamicAnalysis) Identifier Analysis [D3-HD](https://d3fend.mitre.org/technique/d3f:HomoglyphDetection) URL Analysis [D3-UA](https://d3fend.mitre.org/technique/d3f:URLAnalysis) Message Analysis Sender MTA Reputation [D3-SMRA](https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis) Sender Reputation [D3-SRA](https://d3fend.mitre.org/technique/d3f:SenderReputationAnalysis) N/A Detect [D3-OSM](https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring) OS Monitoring [D3-SJA](https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis) Scheduled Job Analysis [D3-OSM](https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis) Operating System Monitoring ----- WinEvent Scheduled [Task Created Within](https://github.com/splunk/security_content/blob/develop/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml) Public Path (Existing) Suspicious Regsvr32 [Register Suspicious](https://github.com/splunk/security_content/blob/develop/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml) Path (Existing) Account Discovery With Net App (Existing) NLTest Domain Trust Discovery (Existing) Recon AVProduct [Through Pwh or](https://github.com/splunk/security_content/blob/develop/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml) WMI(Modified) Suspicious Rundll32 Plugininit (New) [T1053](https://attack.mitre.org/techniques/T1053/) Execution, Persistence, Privilege Escalation [T1218.010](https://attack.mitre.org/techniques/T1218/010/) Defense Evasion [T1218.011](https://attack.mitre.org/techniques/T1218/011/) Defense Evasion Detects suspicious scheduled task created in a suspicious file path Detects regsvr32 execution with suspicious DLL file path [T1087.002](https://attack.mitre.org/techniques/T1087/002/) Discovery detects a potential account discovery through a series of commands. [T1482](https://attack.mitre.org/techniques/T1482/) Discovery Detects execution of `nltest.exe` with suspicious parameter [T1592](https://attack.mitre.org/techniques/T1592/) Reconnaissance Detects command to gather AV product info Detects PluginInit parameter of Rundll32 process Detect [D3-OSM](https://d3fend.mitre.org/technique/d3f:OperatingSystemMonitoring) OS Monitoring [D3-SJA](https://d3fend.mitre.org/technique/d3f:ScheduledJobAnalysis) Scheduled Job Analysis [D3-OSM](https://d3fend.mitre.org/technique/d3f:SystemFileAnalysis) Operating System Monitoring Detect: Dynamic Analysis [D3-FAPA](https://d3fend.mitre.org/technique/d3f:FileAccessPatternAnalysis) File Access Pattern [D3-PSA](https://d3fend.mitre.org/technique/d3f:ProcessSpawnAnalysis) Process Spawn Analysis N/A N/A N/A N/A ----- Suspicious IcedID Rundll32 Cmdline (New) [Rundll32 DNSQuery](https://github.com/splunk/security_content/blob/develop/detections/endpoint/rundll32_dnsquery.yml) (New) Rundll32 Process Creating Exe Dll Files (New) Suspicious IcedID Regsvr32 Cmdline (New) Rundll32 [CreateRemoteThread](https://github.com/splunk/security_content/blob/develop/detections/endpoint/rundll32_createremotethread_in_browser.yml) In Browser (New) Office Application [Spawn Regsvr32](https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_application_spawn_regsvr32_process.yml) process (new) [T1218.011](https://attack.mitre.org/techniques/T1218/011/) Defense Evasion [T1218.011](https://attack.mitre.org/techniques/T1218/011/) Defense Evasion [T1218.011](https://attack.mitre.org/techniques/T1218/011/) Defense Evasion [T1218.010](https://attack.mitre.org/techniques/T1218/010/) Defense Evasion [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation [T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial Access Detects suspicious regsvr32 child process of office application Detects known IcedID rundll32 parameter. Detects DNS query from rundll32 process Detects rundll32 process dropping executable files Detects regsvr32 process with known “-s” parameter Detects Process Injection to a browser from rundll32 process N/A N/A N/A N/A N/A Detect: File Analysis [D3-DA](https://d3fend.mitre.org/technique/d3f:DynamicAnalysis) Identifier Analysis [D3-HD](https://d3fend.mitre.org/technique/d3f:HomoglyphDetection) URL Analysis [D3-UA](https://d3fend.mitre.org/technique/d3f:URLAnalysis) Message Analysis Sender MTA Reputation [D3-SMRA](https://d3fend.mitre.org/technique/d3f:SenderMTAReputationAnalysis) Sender ----- Rundll32 Create [Remote Thread To A](https://github.com/splunk/security_content/blob/develop/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml) Process (New) CHCP Command Execution (New) Create Remote [Thread In Shell](https://github.com/splunk/security_content/blob/develop/detections/endpoint/create_remote_thread_in_shell_application.yml) Application (New) Drop IcedID License dat (New) IcedID Exfiltrated [Archived File](https://github.com/splunk/security_content/blob/develop/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml) Creation (New) Sqlite Module In Temp Folder (New) ## Hashes [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation Detects process Injection made by rundll32 [T1059](https://attack.mitre.org/techniques/T1059/) Execution Detects chcp.com execution [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation Detects Process Injection in Shell Application [T1204.002](https://attack.mitre.org/techniques/T1204/002/) Execution Detects suspicious license.dat file creation [T1560.001](https://attack.mitre.org/techniques/T1560/001/) Collection Detects creation of archived files related to IcedID data collection [T1005](https://attack.mitre.org/techniques/T1005/) Collection Detects the creation of sqlite module in %temp% folder N/A Detect [D3-SEA](https://d3fend.mitre.org/technique/d3f:ScriptExecutionAnalysis) Script Execution Analysis N/A Detect: File Analysis [D3-DA](https://d3fend.mitre.org/technique/d3f:DynamicAnalysis) Identifier Analysis [D3-HD](https://d3fend.mitre.org/technique/d3f:HomoglyphDetection) Detect: File Content Rules [D3-FCR](https://d3fend.mitre.org/technique/d3f:FileContentRules) File Hashing [D3-FH](https://d3fend.mitre.org/technique/d3f:FileHashing) N/A ----- File Sha1 Tetoomdu64.dll [787447B91095E8BB4F696A69C4B7CBAAF302E8C1](https://www.virustotal.com/gui/file/3ed5d0476d1ce4fd325666072983d295609fe94c5b65d5db47a53f462ac7a4dc/detection) license.dat [ECA410DD57AF16227220E08067C1895C258EB92B](https://www.virustotal.com/gui/file/29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e/detection) Xls macro [334E6FFE01A015195C8E63932035684F2537881C](https://www.virustotal.com/gui/file/5eac3e85bfd9da7181a488e33875ddc3479c021fcbeab807bef7bc9da107113a/detection) docBorderWin.jpg [C0FC382E3B2811EFCA738BD4EEB00C5A5D9AD82A](https://www.virustotal.com/gui/file/9b6b3b62f816d3b9a63f20ba92006ce20d103adc67c564d4ea780069404656d6/detection) Hta loader [8DCB6C08799EEB06AC4CF2B38A59DBA107D1E24F](https://www.virustotal.com/gui/file/f2853a980ec905710695b3d5e3a6c38ace906f7dcd12b4cb35cbeb621afe3b26/details) sadl.dll [D44DE47328467E3832F3AE0ADF4E68649A8BE0D2](https://www.virustotal.com/gui/file/05b881b5b349aac2548857ca4f32f94f7211a601d0236f99752cc7e8df1f9668/details) ## Contributors We would like to thank the following for their contributions to this post: Teoderick Contreras and Rod Soto. Posted by **[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)** The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest ----- threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository. Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more. [Read more Splunk Security Content.](https://github.com/splunk/security_content) -----