icedid | 1542e7df7968ed3e602bdbef9c8c346d00a5ca73d5864f4849e4c5b0bb7ce42c | Triage

Analysis

max time kernel
118s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
09-03-2022 15:43

Sharing

Report Analysis Logs

General

Target

1542e7df7968ed3e602bdbef9c8c346d00a5ca73d5864f4849e4c5b0bb7ce42c.dll
Size

110KB
MD5

7cdc67b5ff9d28a1a0e981f0dd1dc32c
SHA1

2cda802607af39665320af1924f6952a92c2ab10
SHA256

1542e7df7968ed3e602bdbef9c8c346d00a5ca73d5864f4849e4c5b0bb7ce42c
SHA512

7aba904b5f6d81940f9f20386bd6a26c871f6ef5ef69c22cbb165abec4415b698d6b159c2c12080223460147c423034115b73b67c0e26a70986b90b96709d52f

Score

10^/10

icedid banker loader trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2904-130-0x0000000074F00000-0x0000000074F06000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4020 wrote to memory of 2904	4020	regsvr32.exe	regsvr32.exe
PID 4020 wrote to memory of 2904	4020	regsvr32.exe	regsvr32.exe
PID 4020 wrote to memory of 2904	4020	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1542e7df7968ed3e602bdbef9c8c346d00a5ca73d5864f4849e4c5b0bb7ce42c.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1542e7df7968ed3e602bdbef9c8c346d00a5ca73d5864f4849e4c5b0bb7ce42c.dll
2⤵
PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2904-130-0x0000000074F00000-0x0000000074F06000-memory.dmp

Filesize
24KB

Download