icedid | a174a9aa2b27b3b2ad8e4d493ecc785245e0bba9411c116395be62c23be3388c | Triage

Analysis

max time kernel
129s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
19-03-2022 16:17

Sharing

Report Analysis Logs

General

Target

a174a9aa2b27b3b2ad8e4d493ecc785245e0bba9411c116395be62c23be3388c.dll
Size

217KB
MD5

14ec40d516f74cf7ce9b9d3f00e316f5
SHA1

6d8408be726557bebee5e68c35288cb5ef11ada8
SHA256

a174a9aa2b27b3b2ad8e4d493ecc785245e0bba9411c116395be62c23be3388c
SHA512

bfb00c20a811584ccdc442ec5748ef076fab4fb97287d84625e089e931099e90b78116591d880f84c2d492b94410448874fa99a9308fd360b491813dd09b0962

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2528-134-0x0000000074EC0000-0x0000000074F06000-memory.dmp	IcedidFirstLoader
behavioral2/memory/2528-136-0x0000000074EC0000-0x0000000074EC9000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3776 wrote to memory of 2528	3776	regsvr32.exe	regsvr32.exe
PID 3776 wrote to memory of 2528	3776	regsvr32.exe	regsvr32.exe
PID 3776 wrote to memory of 2528	3776	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a174a9aa2b27b3b2ad8e4d493ecc785245e0bba9411c116395be62c23be3388c.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\a174a9aa2b27b3b2ad8e4d493ecc785245e0bba9411c116395be62c23be3388c.dll
  2⤵
  PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2528-135-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2528-134-0x0000000074EC0000-0x0000000074F06000-memory.dmp

Filesize
280KB

Download
memory/2528-136-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

Filesize
36KB

Download