icedid | d7a2b612bc7124c22cb058518ecf40a39b670042a7fbad01d4fa49d0ce20d344 | Triage

Resubmissions

21-01-2021 15:19

210121-45kpl5vrda 10

07-12-2020 17:45

201207-s6fczt9nba 10

Analysis

max time kernel
41s
max time network
115s
platform
windows10_x64
resource
win10v20201028
submitted
07-12-2020 17:45

Sharing

Report Analysis Logs

General

Target

otgewd.dll
Size

192KB
MD5

cb11148e0c7b70769b156ab085c41dfe
SHA1

48fc5d442a68286f4edcd5a9170b8ce5c849f2e5
SHA256

d7a2b612bc7124c22cb058518ecf40a39b670042a7fbad01d4fa49d0ce20d344
SHA512

a457af8df734e5de9dc0807fbf2916a4015347068199f471ae22b7cb4d5e07855f67201de700286c40f81f5ab128c56e62da924fca277937a0af36c6e6f70ab8

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

18 4776 rundll32.exe
19 4776 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4648 wrote to memory of 4776	4648	rundll32.exe	rundll32.exe
PID 4648 wrote to memory of 4776	4648	rundll32.exe	rundll32.exe
PID 4648 wrote to memory of 4776	4648	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\otgewd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\otgewd.dll,#1
2⤵
- Blocklisted process makes network request
PID:4776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4776-2-0x0000000000000000-mapping.dmp

Download