icedid | 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2 | Triage

Analysis

max time kernel
103s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
30-11-2020 18:39

Sharing

Report Analysis Logs

General

Target

Donorcasino.dat.dll
Size

280KB
MD5

331976fe1dca57b408fd0150c662e096
SHA1

9d1a20b84fe8cf0a3afbecdbe8a4d0b9a6b761e8
SHA256

56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2
SHA512

1390cd65f65e1a2b41307b29d67eedb42cfbe474f7385f827330ea44a12ff84a8271f44c08f1533b4510b058c6bf4f26c5d24c0033a42a3cc00c58926a24c397

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1964-3-0x0000000002BA0000-0x0000000002C47000-memory.dmp	Icedid_core

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe
PID 596 wrote to memory of 1964	596	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Donorcasino.dat.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Donorcasino.dat.dll
2⤵
PID:1964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-2-0x0000000000000000-mapping.dmp

Download
memory/1964-3-0x0000000002BA0000-0x0000000002C47000-memory.dmp

Filesize
668KB

Download