icedid | 56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2

Analysis

max time kernel
149s
max time network
138s
platform
windows10_x64
resource
win10v20201028
submitted
30-11-2020 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Donorcasino.dat.dll
Size

280KB
MD5

331976fe1dca57b408fd0150c662e096
SHA1

9d1a20b84fe8cf0a3afbecdbe8a4d0b9a6b761e8
SHA256

56c26ed446ff536e676969a770d3ca72bd5bb1faf20aa64ecb559cbaab4d36d2
SHA512

1390cd65f65e1a2b41307b29d67eedb42cfbe474f7385f827330ea44a12ff84a8271f44c08f1533b4510b058c6bf4f26c5d24c0033a42a3cc00c58926a24c397

Score

10^/10

icedid banker loader trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 64 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/4824-4-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-5-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-7-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-9-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-10-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-11-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-12-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-13-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-15-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-16-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-17-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-18-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-20-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-21-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-22-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-23-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-24-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-25-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-27-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-28-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-30-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-29-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-31-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-34-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-33-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-36-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-37-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-35-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-38-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-39-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-41-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-42-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-43-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-44-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-45-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-47-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-46-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-51-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-50-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-53-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-52-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-54-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-55-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-56-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-57-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-58-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-60-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-61-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-62-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-63-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-65-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-64-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-67-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-66-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-70-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-69-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-72-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-74-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-75-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-76-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-77-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-73-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-71-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/4824-82-0x0000000000000000-mapping.dmp	IcedidSecondLoader

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3096	4824	WerFault.exe	regsvr32.exe
572	4824	WerFault.exe	regsvr32.exe
364	4824	WerFault.exe	regsvr32.exe
1324	4824	WerFault.exe	regsvr32.exe
1924	4824	WerFault.exe	regsvr32.exe
2556	4824	WerFault.exe	regsvr32.exe
4052	4824	WerFault.exe	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
364	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3096	WerFault.exe
Token: SeBackupPrivilege	3096	WerFault.exe
Token: SeDebugPrivilege	3096	WerFault.exe
Token: SeDebugPrivilege	572	WerFault.exe
Token: SeDebugPrivilege	364	WerFault.exe
Token: SeDebugPrivilege	1324	WerFault.exe
Token: SeDebugPrivilege	1924	WerFault.exe
Token: SeDebugPrivilege	2556	WerFault.exe
Token: SeDebugPrivilege	4052	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4696 wrote to memory of 4824	4696	regsvr32.exe	regsvr32.exe
PID 4696 wrote to memory of 4824	4696	regsvr32.exe	regsvr32.exe
PID 4696 wrote to memory of 4824	4696	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Donorcasino.dat.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Donorcasino.dat.dll
2⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 768
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 852
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1560
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1604
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1616
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1576
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-26-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/364-19-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/572-8-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/572-14-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1324-32-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1324-40-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1924-49-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1924-59-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1924-48-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/2556-68-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/2556-78-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3096-6-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/3096-3-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/4052-87-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4052-98-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/4824-50-0x0000000000000000-mapping.dmp

Download
memory/4824-58-0x0000000000000000-mapping.dmp

Download
memory/4824-17-0x0000000000000000-mapping.dmp

Download
memory/4824-20-0x0000000000000000-mapping.dmp

Download
memory/4824-21-0x0000000000000000-mapping.dmp

Download
memory/4824-22-0x0000000000000000-mapping.dmp

Download
memory/4824-23-0x0000000000000000-mapping.dmp

Download
memory/4824-24-0x0000000000000000-mapping.dmp

Download
memory/4824-25-0x0000000000000000-mapping.dmp

Download
memory/4824-16-0x0000000000000000-mapping.dmp

Download
memory/4824-27-0x0000000000000000-mapping.dmp

Download
memory/4824-28-0x0000000000000000-mapping.dmp

Download
memory/4824-30-0x0000000000000000-mapping.dmp

Download
memory/4824-29-0x0000000000000000-mapping.dmp

Download
memory/4824-31-0x0000000000000000-mapping.dmp

Download
memory/4824-15-0x0000000000000000-mapping.dmp

Download
memory/4824-34-0x0000000000000000-mapping.dmp

Download
memory/4824-33-0x0000000000000000-mapping.dmp

Download
memory/4824-36-0x0000000000000000-mapping.dmp

Download
memory/4824-37-0x0000000000000000-mapping.dmp

Download
memory/4824-35-0x0000000000000000-mapping.dmp

Download
memory/4824-38-0x0000000000000000-mapping.dmp

Download
memory/4824-39-0x0000000000000000-mapping.dmp

Download
memory/4824-13-0x0000000000000000-mapping.dmp

Download
memory/4824-41-0x0000000000000000-mapping.dmp

Download
memory/4824-42-0x0000000000000000-mapping.dmp

Download
memory/4824-43-0x0000000000000000-mapping.dmp

Download
memory/4824-44-0x0000000000000000-mapping.dmp

Download
memory/4824-45-0x0000000000000000-mapping.dmp

Download
memory/4824-47-0x0000000000000000-mapping.dmp

Download
memory/4824-46-0x0000000000000000-mapping.dmp

Download
memory/4824-12-0x0000000000000000-mapping.dmp

Download
memory/4824-51-0x0000000000000000-mapping.dmp

Download
memory/4824-2-0x0000000000000000-mapping.dmp

Download
memory/4824-53-0x0000000000000000-mapping.dmp

Download
memory/4824-52-0x0000000000000000-mapping.dmp

Download
memory/4824-54-0x0000000000000000-mapping.dmp

Download
memory/4824-11-0x0000000000000000-mapping.dmp

Download
memory/4824-55-0x0000000000000000-mapping.dmp

Download
memory/4824-56-0x0000000000000000-mapping.dmp

Download
memory/4824-57-0x0000000000000000-mapping.dmp

Download
memory/4824-18-0x0000000000000000-mapping.dmp

Download
memory/4824-10-0x0000000000000000-mapping.dmp

Download
memory/4824-60-0x0000000000000000-mapping.dmp

Download
memory/4824-61-0x0000000000000000-mapping.dmp

Download
memory/4824-62-0x0000000000000000-mapping.dmp

Download
memory/4824-63-0x0000000000000000-mapping.dmp

Download
memory/4824-65-0x0000000000000000-mapping.dmp

Download
memory/4824-64-0x0000000000000000-mapping.dmp

Download
memory/4824-67-0x0000000000000000-mapping.dmp

Download
memory/4824-66-0x0000000000000000-mapping.dmp

Download
memory/4824-9-0x0000000000000000-mapping.dmp

Download
memory/4824-70-0x0000000000000000-mapping.dmp

Download
memory/4824-69-0x0000000000000000-mapping.dmp

Download
memory/4824-72-0x0000000000000000-mapping.dmp

Download
memory/4824-74-0x0000000000000000-mapping.dmp

Download
memory/4824-75-0x0000000000000000-mapping.dmp

Download
memory/4824-76-0x0000000000000000-mapping.dmp

Download
memory/4824-77-0x0000000000000000-mapping.dmp

Download
memory/4824-73-0x0000000000000000-mapping.dmp

Download
memory/4824-71-0x0000000000000000-mapping.dmp

Download
memory/4824-7-0x0000000000000000-mapping.dmp

Download
memory/4824-80-0x0000000000000000-mapping.dmp

Download
memory/4824-79-0x0000000000000000-mapping.dmp

Download
memory/4824-82-0x0000000000000000-mapping.dmp

Download
memory/4824-81-0x0000000000000000-mapping.dmp

Download
memory/4824-86-0x0000000000000000-mapping.dmp

Download
memory/4824-85-0x0000000000000000-mapping.dmp

Download
memory/4824-84-0x0000000000000000-mapping.dmp

Download
memory/4824-83-0x0000000000000000-mapping.dmp

Download
memory/4824-5-0x0000000000000000-mapping.dmp

Download
memory/4824-88-0x0000000000000000-mapping.dmp

Download
memory/4824-89-0x0000000000000000-mapping.dmp

Download
memory/4824-90-0x0000000000000000-mapping.dmp

Download
memory/4824-91-0x0000000000000000-mapping.dmp

Download
memory/4824-92-0x0000000000000000-mapping.dmp

Download
memory/4824-93-0x0000000000000000-mapping.dmp

Download
memory/4824-95-0x0000000000000000-mapping.dmp

Download
memory/4824-94-0x0000000000000000-mapping.dmp

Download
memory/4824-96-0x0000000000000000-mapping.dmp

Download
memory/4824-4-0x0000000000000000-mapping.dmp

Download