icedid | bca95f8c72826187d1eddc4615ec6f99acbe9ac233ec5bb11bba7b726a2c5c02

General

Target

data.dll
Size

568KB
MD5

af31e31bf5757d81cf20626d777c71a6
SHA1

f67586fb95f9361998bd8cf5c64991c4add6afae
SHA256

bca95f8c72826187d1eddc4615ec6f99acbe9ac233ec5bb11bba7b726a2c5c02
SHA512

c58ad9d314d4f09c945b593f6763c821f21c4f535e1b1f41b847b895abfbea70ef90d73aa902c5fbf7b788b94d046ca3449e0c54e1cc8c0835b9fc829cc93bde

Score

10^/10

icedid 952864090 banker suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

952864090

C2

biglaneat.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2036 1720 WerFault.exe regsvr32.exe
1708 792 WerFault.exe regsvr32.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

792 regsvr32.exe

pid	pid_target	process	target process
2036	1720	WerFault.exe	regsvr32.exe
1708	792	WerFault.exe	regsvr32.exe

pid	process
792	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

regsvr32.exeWerFault.exeregsvr32.exeWerFault.exe

pid	process
1720	regsvr32.exe
1720	regsvr32.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
792	regsvr32.exe
792	regsvr32.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 2036 WerFault.exe
Token: SeDebugPrivilege 1708 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2036	WerFault.exe
Token: SeDebugPrivilege	1708	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cmd.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1648 wrote to memory of 792	1648	cmd.exe	regsvr32.exe
PID 1648 wrote to memory of 792	1648	cmd.exe	regsvr32.exe
PID 1648 wrote to memory of 792	1648	cmd.exe	regsvr32.exe
PID 1648 wrote to memory of 792	1648	cmd.exe	regsvr32.exe
PID 1648 wrote to memory of 792	1648	cmd.exe	regsvr32.exe
PID 1720 wrote to memory of 2036	1720	regsvr32.exe	WerFault.exe
PID 1720 wrote to memory of 2036	1720	regsvr32.exe	WerFault.exe
PID 1720 wrote to memory of 2036	1720	regsvr32.exe	WerFault.exe
PID 792 wrote to memory of 1708	792	regsvr32.exe	WerFault.exe
PID 792 wrote to memory of 1708	792	regsvr32.exe	WerFault.exe
PID 792 wrote to memory of 1708	792	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1720 -s 260
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\regsvr32.exe
regsvr32 data.dll
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 792 -s 260
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-62-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1720-55-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1720-58-0x0000000000120000-0x000000000012B000-memory.dmp

Filesize
44KB

Download
memory/2036-60-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing