icedid | e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a

General

Target

otaxujuc64.dll
Size

280KB
MD5

376064351308815baa1cedb83e67b356
SHA1

f0e8d7c1b16adbb734d5254e70b3f6f5f616b09b
SHA256

e7f9b5692e7f51ee1711ef2f344f7fdacf4387712c38a82b1361679ab76da12a
SHA512

d2e83c2e97a11f22041a5936259829ba465098f8db501fe980b90829f43132cc31d29a50abbae1d4cce2693eff837b00643489a61afe29592d65b65bf177f8fa

Score

10^/10

icedid banker loader trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID Second Stage Loader 45 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3788-4-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-5-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-7-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-9-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-10-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-11-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-12-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-13-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-15-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-16-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-17-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-18-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-20-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-21-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-22-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-23-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-24-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-25-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-28-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-27-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-29-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-30-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-31-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-33-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-34-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-36-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-38-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-37-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-39-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-35-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-42-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-41-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-43-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-44-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-46-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-45-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-50-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-51-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-52-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-49-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-54-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-53-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-56-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-55-0x0000000000000000-mapping.dmp	IcedidSecondLoader
behavioral2/memory/3788-61-0x0000000000000000-mapping.dmp	IcedidSecondLoader

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2940	3788	WerFault.exe	regsvr32.exe
3532	3788	WerFault.exe	regsvr32.exe
2160	3788	WerFault.exe	regsvr32.exe
4036	3788	WerFault.exe	regsvr32.exe
4056	3788	WerFault.exe	regsvr32.exe
3236	3788	WerFault.exe	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
2940	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
3532	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
2160	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4036	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe
4056	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2940	WerFault.exe
Token: SeBackupPrivilege	2940	WerFault.exe
Token: SeDebugPrivilege	2940	WerFault.exe
Token: SeDebugPrivilege	3532	WerFault.exe
Token: SeDebugPrivilege	2160	WerFault.exe
Token: SeDebugPrivilege	4036	WerFault.exe
Token: SeDebugPrivilege	4056	WerFault.exe
Token: SeDebugPrivilege	3236	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2604 wrote to memory of 3788	2604	regsvr32.exe	regsvr32.exe
PID 2604 wrote to memory of 3788	2604	regsvr32.exe	regsvr32.exe
PID 2604 wrote to memory of 3788	2604	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\otaxujuc64.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\otaxujuc64.dll
2⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 624
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 768
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 780
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1184
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1200
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1592
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-26-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2160-19-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2940-3-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/2940-6-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3236-75-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/3236-65-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/3532-8-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3532-14-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3788-41-0x0000000000000000-mapping.dmp

Download
memory/3788-64-0x0000000000000000-mapping.dmp

Download
memory/3788-10-0x0000000000000000-mapping.dmp

Download
memory/3788-11-0x0000000000000000-mapping.dmp

Download
memory/3788-12-0x0000000000000000-mapping.dmp

Download
memory/3788-13-0x0000000000000000-mapping.dmp

Download
memory/3788-15-0x0000000000000000-mapping.dmp

Download
memory/3788-16-0x0000000000000000-mapping.dmp

Download
memory/3788-17-0x0000000000000000-mapping.dmp

Download
memory/3788-18-0x0000000000000000-mapping.dmp

Download
memory/3788-20-0x0000000000000000-mapping.dmp

Download
memory/3788-21-0x0000000000000000-mapping.dmp

Download
memory/3788-22-0x0000000000000000-mapping.dmp

Download
memory/3788-23-0x0000000000000000-mapping.dmp

Download
memory/3788-24-0x0000000000000000-mapping.dmp

Download
memory/3788-25-0x0000000000000000-mapping.dmp

Download
memory/3788-7-0x0000000000000000-mapping.dmp

Download
memory/3788-28-0x0000000000000000-mapping.dmp

Download
memory/3788-27-0x0000000000000000-mapping.dmp

Download
memory/3788-29-0x0000000000000000-mapping.dmp

Download
memory/3788-30-0x0000000000000000-mapping.dmp

Download
memory/3788-31-0x0000000000000000-mapping.dmp

Download
memory/3788-81-0x0000000000000000-mapping.dmp

Download
memory/3788-33-0x0000000000000000-mapping.dmp

Download
memory/3788-34-0x0000000000000000-mapping.dmp

Download
memory/3788-36-0x0000000000000000-mapping.dmp

Download
memory/3788-38-0x0000000000000000-mapping.dmp

Download
memory/3788-37-0x0000000000000000-mapping.dmp

Download
memory/3788-39-0x0000000000000000-mapping.dmp

Download
memory/3788-35-0x0000000000000000-mapping.dmp

Download
memory/3788-82-0x0000000000000000-mapping.dmp

Download
memory/3788-42-0x0000000000000000-mapping.dmp

Download
memory/3788-5-0x0000000000000000-mapping.dmp

Download
memory/3788-43-0x0000000000000000-mapping.dmp

Download
memory/3788-44-0x0000000000000000-mapping.dmp

Download
memory/3788-46-0x0000000000000000-mapping.dmp

Download
memory/3788-83-0x0000000000000000-mapping.dmp

Download
memory/3788-80-0x0000000000000000-mapping.dmp

Download
memory/3788-9-0x0000000000000000-mapping.dmp

Download
memory/3788-50-0x0000000000000000-mapping.dmp

Download
memory/3788-51-0x0000000000000000-mapping.dmp

Download
memory/3788-52-0x0000000000000000-mapping.dmp

Download
memory/3788-49-0x0000000000000000-mapping.dmp

Download
memory/3788-54-0x0000000000000000-mapping.dmp

Download
memory/3788-53-0x0000000000000000-mapping.dmp

Download
memory/3788-56-0x0000000000000000-mapping.dmp

Download
memory/3788-55-0x0000000000000000-mapping.dmp

Download
memory/3788-45-0x0000000000000000-mapping.dmp

Download
memory/3788-61-0x0000000000000000-mapping.dmp

Download
memory/3788-60-0x0000000000000000-mapping.dmp

Download
memory/3788-59-0x0000000000000000-mapping.dmp

Download
memory/3788-58-0x0000000000000000-mapping.dmp

Download
memory/3788-62-0x0000000000000000-mapping.dmp

Download
memory/3788-63-0x0000000000000000-mapping.dmp

Download
memory/3788-79-0x0000000000000000-mapping.dmp

Download
memory/3788-4-0x0000000000000000-mapping.dmp

Download
memory/3788-67-0x0000000000000000-mapping.dmp

Download
memory/3788-66-0x0000000000000000-mapping.dmp

Download
memory/3788-69-0x0000000000000000-mapping.dmp

Download
memory/3788-70-0x0000000000000000-mapping.dmp

Download
memory/3788-68-0x0000000000000000-mapping.dmp

Download
memory/3788-73-0x0000000000000000-mapping.dmp

Download
memory/3788-72-0x0000000000000000-mapping.dmp

Download
memory/3788-74-0x0000000000000000-mapping.dmp

Download
memory/3788-71-0x0000000000000000-mapping.dmp

Download
memory/3788-2-0x0000000000000000-mapping.dmp

Download
memory/3788-76-0x0000000000000000-mapping.dmp

Download
memory/3788-77-0x0000000000000000-mapping.dmp

Download
memory/3788-78-0x0000000000000000-mapping.dmp

Download
memory/4036-40-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4036-32-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/4056-48-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4056-57-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4056-47-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads