icedid | 688190ebc2254ad085eff4fadf1e086d7b2b0a0b38e32730a85a798b3d56dd07

General

Target

data.dll
Size

382KB
MD5

663c91a724d41e1f2b5c0c007da66cd6
SHA1

f9428daeebd760bf31a2b0e3ef805a98abc942d4
SHA256

688190ebc2254ad085eff4fadf1e086d7b2b0a0b38e32730a85a798b3d56dd07
SHA512

1dff5b313feca82b6ca1e5fcfb7937e5366c31b9d870181db47fe4e63661f5e6e5fe74a6ab0dcdfcab4f33912ee3b8c70e2f2cb4c7962465acf6b20924900f55

Score

10^/10

icedid 936086471 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

936086471

C2

reseptors.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1056 564 WerFault.exe regsvr32.exe
1544 1668 WerFault.exe regsvr32.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

1668 regsvr32.exe

pid	pid_target	process	target process
1056	564	WerFault.exe	regsvr32.exe
1544	1668	WerFault.exe	regsvr32.exe

pid	process
1668	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

regsvr32.exeWerFault.exeregsvr32.exeWerFault.exe

pid	process
564	regsvr32.exe
564	regsvr32.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1668	regsvr32.exe
1668	regsvr32.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1056 WerFault.exe
Token: SeDebugPrivilege 1544 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1056	WerFault.exe
Token: SeDebugPrivilege	1544	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 536 wrote to memory of 1668	536	cmd.exe	regsvr32.exe
PID 536 wrote to memory of 1668	536	cmd.exe	regsvr32.exe
PID 536 wrote to memory of 1668	536	cmd.exe	regsvr32.exe
PID 536 wrote to memory of 1668	536	cmd.exe	regsvr32.exe
PID 536 wrote to memory of 1668	536	cmd.exe	regsvr32.exe
PID 564 wrote to memory of 1056	564	regsvr32.exe	WerFault.exe
PID 564 wrote to memory of 1056	564	regsvr32.exe	WerFault.exe
PID 564 wrote to memory of 1056	564	regsvr32.exe	WerFault.exe
PID 1668 wrote to memory of 1544	1668	regsvr32.exe	WerFault.exe
PID 1668 wrote to memory of 1544	1668	regsvr32.exe	WerFault.exe
PID 1668 wrote to memory of 1544	1668	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 564 -s 244
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\regsvr32.exe
regsvr32 data.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1668 -s 244
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-54-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/564-56-0x0000000000120000-0x000000000012B000-memory.dmp

Filesize
44KB

Download
memory/1056-58-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1544-61-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x0000000000130000-0x000000000013B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing