icedid | f5628f5e31a100bd7f64c47908035d5b9b35f7f375e2a13d25b2370b8500b9ca

Resubmissions

07-03-2022 21:46

220307-1my3aagbh2 10

28-02-2022 09:51

220228-lvldtsdhg4 10

24-02-2022 19:51

220224-yk4hwaehap 1

Analysis

max time kernel
1199s
max time network
1083s
platform
windows10_x64
resource
win10-20220223-en
submitted
28-02-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

core.bat

Score

10^/10

icedid 3560182600 banker trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3560182600

coolbearblunts.com

cooldogblunts.com

Attributes

auth_var
2
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 6 IoCs

flow	pid	Process
11	4060	rundll32.exe
13	4060	rundll32.exe
14	4060	rundll32.exe
15	4060	rundll32.exe
16	4060	rundll32.exe
17	4060	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
3292	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4060	3948	cmd.exe	43
PID 3948 wrote to memory of 4060	3948	cmd.exe	43

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:4060

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dll",DllMain --somota="license.dat"
1⤵
- Loads dropped DLL
PID:3292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3292-119-0x00000171973A0000-0x00000171973F9000-memory.dmp

Filesize
356KB

Download
memory/3292-121-0x0000017197000000-0x0000017197005000-memory.dmp

Filesize
20KB

Download
memory/4060-115-0x000001521C480000-0x000001521C4D9000-memory.dmp

Filesize
356KB

Download
memory/4060-116-0x000001521C210000-0x000001521C215000-memory.dmp

Filesize
20KB

Download