icedid | 0909d5e055739b2feaa6c237a10b9a40fd5c2ecd05fd2b1222db946a7292df98 | Triage

Analysis

max time kernel
122s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
19-03-2022 11:30

Sharing

Report Analysis Logs

General

Target

0909d5e055739b2feaa6c237a10b9a40fd5c2ecd05fd2b1222db946a7292df98.dll
Size

191KB
MD5

c9c35017f940f148e5b7785badb4b9b7
SHA1

9c26f0a516a113679ec07539f4090b5cb76b308a
SHA256

0909d5e055739b2feaa6c237a10b9a40fd5c2ecd05fd2b1222db946a7292df98
SHA512

2498cdea19468466a03ea46708d07309b646be89b34070c674e3a332425677e2ee0217be47dbc02d5c1519e6e7e3dcae18c16f84c2cd5c203b994a922c8cfaa4

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4860-134-0x0000000074940000-0x0000000074983000-memory.dmp	IcedidFirstLoader
behavioral2/memory/4860-136-0x0000000074940000-0x0000000074949000-memory.dmp	IcedidFirstLoader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3900 4860 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3396 wrote to memory of 4860	3396	rundll32.exe	rundll32.exe
PID 3396 wrote to memory of 4860	3396	rundll32.exe	rundll32.exe
PID 3396 wrote to memory of 4860	3396	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0909d5e055739b2feaa6c237a10b9a40fd5c2ecd05fd2b1222db946a7292df98.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0909d5e055739b2feaa6c237a10b9a40fd5c2ecd05fd2b1222db946a7292df98.dll,#1
2⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 676
3⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860
1⤵
PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4860-134-0x0000000074940000-0x0000000074983000-memory.dmp

Filesize
268KB

Download
memory/4860-135-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4860-136-0x0000000074940000-0x0000000074949000-memory.dmp

Filesize
36KB

Download