Resubmissions

25-02-2022 13:47

220225-q324rsgce5 10

25-02-2022 13:42

220225-qz4hesgcd7 1

25-02-2022 07:59

220225-jvqbnsgfen 10

24-02-2022 18:59

220224-xm42radec7 1

Analysis

  • max time kernel
    4294298s
  • max time network
    299s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    25-02-2022 07:59

General

  • Target

    data.dll

  • Size

    635KB

  • MD5

    037108e76aea0fb082896b0dfa806a8a

  • SHA1

    cc1035bbb80813ba53ae7ad74b8649a4c696e9a1

  • SHA256

    90c29a66209be554dfbd2740f6a54d12616da35d0e5e4af97eb2376b9d053457

  • SHA512

    ebb5fb84a4a1e654de8f7d38dc22d0586266ae58baee9304cd290ba34bcdf8328c7c3c0c243bc996e5e6134fa3aa0948bfc8651259fd3f258722e0da525d9971

Malware Config

Extracted

Family

icedid

Campaign

952864090

C2

biglaneat.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1940 -s 260
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1400-57-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

    Filesize

    4KB

  • memory/1940-54-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

    Filesize

    8KB

  • memory/1940-55-0x00000000001A0000-0x00000000001AB000-memory.dmp

    Filesize

    44KB