icedid | acdae1286b5ab214e1a3b0f72f282e9f6eca6069006db89859da7e3a7a1d5f76 | Triage

Analysis

max time kernel
136s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
21-02-2022 09:48

Sharing

Report Analysis Logs

General

Target

acdae1286b5ab214e1a3b0f72f282e9f6eca6069006db89859da7e3a7a1d5f76.dll
Size

490KB
MD5

86faa5f63214f5abad9a8334ffa0e56e
SHA1

105d31935f35db035df1b4a487b62f1a511a7cfa
SHA256

acdae1286b5ab214e1a3b0f72f282e9f6eca6069006db89859da7e3a7a1d5f76
SHA512

06eaee438d424ffb125f867d30beab17285e5054580fd7995100a784a5288ba3fb5c069a8bb87948dc7fb26f7a507821bd87a847383db67c533a70317c588afc

Score

10^/10

icedid 3467965077 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

3467965077

C2

firenicatrible.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

2764 regsvr32.exe
2764 regsvr32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4580	svchost.exe
Token: SeCreatePagefilePrivilege	4580	svchost.exe
Token: SeShutdownPrivilege	4580	svchost.exe
Token: SeCreatePagefilePrivilege	4580	svchost.exe
Token: SeShutdownPrivilege	4580	svchost.exe
Token: SeCreatePagefilePrivilege	4580	svchost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\acdae1286b5ab214e1a3b0f72f282e9f6eca6069006db89859da7e3a7a1d5f76.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2764-133-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/4580-130-0x000001F39EFA0000-0x000001F39EFB0000-memory.dmp

Filesize
64KB

Download
memory/4580-131-0x000001F39F770000-0x000001F39F780000-memory.dmp

Filesize
64KB

Download
memory/4580-132-0x000001F3A2380000-0x000001F3A2384000-memory.dmp

Filesize
16KB

Download