icedid | 939f3a7451c792fd30d4940bb4e44f78c3ce42522c0f4391efd2ec868bfea871 | Triage

Analysis

max time kernel
129s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-03-2022 11:29

Sharing

Report Analysis Logs

General

Target

939f3a7451c792fd30d4940bb4e44f78c3ce42522c0f4391efd2ec868bfea871.dll
Size

326KB
MD5

25da777ea2fa0c4c4b8c63a56cb01260
SHA1

4825ecd5a271db4bb96be50a4a91ae57896b974e
SHA256

939f3a7451c792fd30d4940bb4e44f78c3ce42522c0f4391efd2ec868bfea871
SHA512

50eef55b472325345d9565b47941aa1879e43408352f6cd3c419e8f587f319cce8a54a155f133101f07a1236dc127e01f7409ac52d04b746721e8cd883b28b31

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2452-130-0x0000000075760000-0x0000000075769000-memory.dmp	IcedidFirstLoader
behavioral2/memory/2452-131-0x0000000075760000-0x00000000757C7000-memory.dmp	IcedidFirstLoader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4500 2452 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2184 wrote to memory of 2452	2184	rundll32.exe	rundll32.exe
PID 2184 wrote to memory of 2452	2184	rundll32.exe	rundll32.exe
PID 2184 wrote to memory of 2452	2184	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\939f3a7451c792fd30d4940bb4e44f78c3ce42522c0f4391efd2ec868bfea871.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\939f3a7451c792fd30d4940bb4e44f78c3ce42522c0f4391efd2ec868bfea871.dll,#1
2⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 632
3⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2452 -ip 2452
1⤵
PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2452-130-0x0000000075760000-0x0000000075769000-memory.dmp

Filesize
36KB

Download
memory/2452-131-0x0000000075760000-0x00000000757C7000-memory.dmp

Filesize
412KB

Download
memory/2452-132-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download