icedid | f5628f5e31a100bd7f64c47908035d5b9b35f7f375e2a13d25b2370b8500b9ca

Resubmissions

07-03-2022 21:46

220307-1my3aagbh2 10

28-02-2022 09:51

220228-lvldtsdhg4 10

24-02-2022 19:51

220224-yk4hwaehap 1

Analysis

max time kernel
1200s
max time network
1077s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-02-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

core.bat

Score

10^/10

icedid 3560182600 banker trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3560182600

coolbearblunts.com

cooldogblunts.com

Attributes

auth_var
2
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 9 IoCs

flow	pid	Process
3	944	rundll32.exe
5	944	rundll32.exe
7	944	rundll32.exe
8	944	rundll32.exe
10	944	rundll32.exe
11	944	rundll32.exe
12	944	rundll32.exe
13	944	rundll32.exe
15	944	rundll32.exe

Loads dropped DLL 4 IoCs

pid	Process
736	rundll32.exe
736	rundll32.exe
736	rundll32.exe
736	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 944	1752	cmd.exe	28
PID 1752 wrote to memory of 944	1752	cmd.exe	28
PID 1752 wrote to memory of 944	1752	cmd.exe	28
PID 1680 wrote to memory of 736	1680	taskeng.exe	32
PID 1680 wrote to memory of 736	1680	taskeng.exe	32
PID 1680 wrote to memory of 736	1680	taskeng.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:944

C:\Windows\system32\taskeng.exe
taskeng.exe {101F68E3-238C-4B35-A158-78175ACB2616} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Admin\Juinatct.dll",DllMain --er="license.dat"
  2⤵
  - Loads dropped DLL
  PID:736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-62-0x0000000001CC0000-0x0000000001D19000-memory.dmp

Filesize
356KB

Download
memory/736-63-0x00000000000A0000-0x00000000000A5000-memory.dmp

Filesize
20KB

Download
memory/944-55-0x0000000001BE0000-0x0000000001C39000-memory.dmp

Filesize
356KB

Download
memory/944-56-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download