icedid | 0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75

Analysis

max time kernel
3s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
26-02-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b63e3ccc1accb0fde3af7bcfbd0554d3.dll
Size

1.4MB
MD5

b63e3ccc1accb0fde3af7bcfbd0554d3
SHA1

6a6cf5af326f2ae625b97cb3658366d45608e6b9
SHA256

0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75
SHA512

51dfced4855cc288132e20879e8dc9c8626b6ea5ec71b9ded9be9ab01b8e77c3bdedc817dfde9a456aa957e32f8e9dac6c7640b86facd7429d549d3279ead17b

Score

10^/10

icedid 3109461289 banker evasion themida trojan

Malware Config

Extracted

Family

icedid

Campaign

3109461289

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regsvr32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1924-3-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmp	themida
behavioral1/memory/1924-4-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

1924 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1924 regsvr32.exe
1924 regsvr32.exe

pid	process
1924	regsvr32.exe

pid	process
1924	regsvr32.exe
1924	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b63e3ccc1accb0fde3af7bcfbd0554d3.dll
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-2-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download
memory/1924-3-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmp

Filesize
4.9MB

Download
memory/1924-4-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmp

Filesize
4.9MB

Download
memory/1924-5-0x000007FEF62D1000-0x000007FEF62D3000-memory.dmp

Filesize
8KB

Download