icedid | a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5 | Triage

Analysis

max time kernel
61s
max time network
120s
platform
windows7_x64
resource
win7v20201028
submitted
13-11-2020 22:03

Sharing

Report Analysis Logs

General

Target

Maaywuku2.dll
Size

123KB
MD5

c33bd283a36d34b8de1826585e564530
SHA1

540f3ba581d2f0a4004da108ff20fb7a5c0b708c
SHA256

a09d8c487a135b973af532247d62f46695a53f37add6c66e561f1c14650290f5
SHA512

12b570c44dfb89dcf9c77f0d429e58c3bce7a302ecc83e76962393169416c6956698fc9e291c49946ecb3e4ea3f52e201b0f3fe6a59d3fdfd9b06eba7f49248f

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-1-0x0000000002CB0000-0x0000000002D56000-memory.dmp	Icedid_core

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 1524 rundll32.exe
5 1524 rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1524	2036	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maaywuku2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maaywuku2.dll,#1
2⤵
- Blocklisted process makes network request
PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-0-0x0000000000000000-mapping.dmp

Download
memory/1524-1-0x0000000002CB0000-0x0000000002D56000-memory.dmp

Filesize
664KB

Download