# Manual Unpacking IcedID Write-up

**[kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/](https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/)**

**Sample hash:**


August 16, 2020


_SHA256: 76cd290b236b11bd18d81e75e41682208e4c0a5701ce7834a9e289ea9e06eb7e_

**Tools:**

[PE files static analysis: PortExAnalyzer;](https://github.com/katjahahn/PortEx) [PE-bear](https://github.com/hasherezade/pe-bear-releases)
[Debugger & plugin: x64dbg +](https://github.com/x64dbg/x64dbg) [ScyllaHide Anti-Anti-Debug](https://github.com/x64dbg/ScyllaHide)
[Aplib decompress: aplib-ripper](https://github.com/herrcore/aplib-ripper)

## 1. Static Analysis

Thow the sample to PortEx Analyzer, tool will analyse file with a special focus on
malformation. We get the results:

The section .text has high entropy, so may be the sample is packed:


-----

This sample is PE32 with ASLR enabled (can quickly disable this feature by using
[setdllcharacteristics):](https://blog.didierstevens.com/2010/10/17/setdllcharacteristics/)

This sample reveals information about the pdb path:

Some anomalies were identified by PortEx:


-----

## 2. Dynamic Analysis

Load specimen to x64dbg, for unpacking process, we set breakpoints at some common
APIs:
```
   VirtualAlloc
   VirtualProtect
   CreateProcessInternalW
   WriteProcessMemory

```
After placing the breakpoints like above picture, press `F9` to execute. First hit at
```
VirtualAlloc :

```
Execute till Return ( Ctrl+F9 ) and Follow in dump the allocated memory (return in `EAX`
register):

Continue run with `F9, hit the second call to` `VirtualAlloc` and observe changes in the
allocated memory. We see new bytes value was written to this location and it is likely a
shellcode:


-----

Once again, `Ctrl+F9 and Follow in dump the new allocated memory:`

Let’s continue execute and hit the third call to `VirtualAlloc, some bytes were written to`
the new allocated memory. They do not look like shellcode but could be some data that
malicious code uses:

Continuing to execute the call to the `VirtuallAlloc` function, we have a newly allocated
memory:


-----

Press `F9, we break at` `VirtualProtect . The newly allocated device has been filled with`
bytes. I spotted a PE file that has been compressed using aPlib because the PE magic bytes

`MZ` become `M8Z .`

Follow this section in the Memory Map and dump it to file:

## 3. Decompress dumped file

From the command line, simply need to pass dumped file to aprip.py . The tool will do its
job and each extracted file will be written to a file “dump0.bin”, “dump1.bin”, …


-----

Check `dump0.bin (21dd005162c62af26f3f59e2ebcb345c) with PE-bear:`
```
AddressOfEntryPoint = 0x0000163D

```
Valid IATs:

**End!**

m4n0w4r


-----