icedid | 503eee9ef80021bf404dd5289ea47903732d5288ae286ca5814ebd25038ce6de | Triage

Analysis

max time kernel
679s
max time network
679s
platform
windows7_x64
resource
win7v20201028
submitted
13-03-2021 02:54

Sharing

Report Analysis Logs

General

Target

Runtime.brok2.dll
Size

154KB
MD5

c386d9720b578d7390d474aff0857d80
SHA1

4dc6fe015674fd5af318176e108e137a6d2ecee6
SHA256

503eee9ef80021bf404dd5289ea47903732d5288ae286ca5814ebd25038ce6de
SHA512

43c51d6cc4fd55c154a2e525c0012de1ba3171f32c75632fe651752521c83efbaf8ebd1db9c1cd472bbbe68ffa73992edd9d0ce3a0e64681a08edbe2c0698c9d

Score

10^/10

icedid 2292720537 Photoloader banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2292720537

C2

klicjop9.fun

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1604-3-0x0000000001D90000-0x0000000001D97000-memory.dmp	IcedidFirstLoader

PhotoLoader Payload 1 IoCs

IcedID downloder-Photloader.

Processes:

resource	yara_rule
behavioral1/memory/1604-3-0x0000000001D90000-0x0000000001D97000-memory.dmp	crime_win32_icedid_stage1

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1604 regsvr32.exe
1604 regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Runtime.brok2.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1604-2-0x000007FEFC1C1000-0x000007FEFC1C3000-memory.dmp

Filesize
8KB

Download
memory/1604-3-0x0000000001D90000-0x0000000001D97000-memory.dmp

Filesize
28KB

Download