icedid | a42d72de0a6f75d35da5424bbaf5ccf1ccc3990793e48f599af41110e5545e0f | Triage

Analysis

max time kernel
148s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
19-03-2022 19:39

Sharing

Report Analysis Logs

General

Target

a42d72de0a6f75d35da5424bbaf5ccf1ccc3990793e48f599af41110e5545e0f.dll
Size

148KB
MD5

b1139c748cf0c458f33ada857fd3ab10
SHA1

1a860f7f6309e7c6b43a88650795096f92200bc6
SHA256

a42d72de0a6f75d35da5424bbaf5ccf1ccc3990793e48f599af41110e5545e0f
SHA512

0ebac8904ebb56a91a3c9e7e7b9e00efc79604b90b83f9072dd0c874fe67c7258441ba23fcba27e703034e2c02a69787a15fa1405b191f5248b2e327096061c4

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

zoperawekil8.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2624-134-0x0000000074C00000-0x0000000074C3F000-memory.dmp	IcedidFirstLoader
behavioral2/memory/2624-136-0x0000000074C00000-0x0000000074C06000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

62 2624 rundll32.exe
76 2624 rundll32.exe
77 2624 rundll32.exe
79 2624 rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2856 2624 WerFault.exe rundll32.exe
1652 2624 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2424 wrote to memory of 2624	2424	rundll32.exe	rundll32.exe
PID 2424 wrote to memory of 2624	2424	rundll32.exe	rundll32.exe
PID 2424 wrote to memory of 2624	2424	rundll32.exe	rundll32.exe
PID 2624 wrote to memory of 2856	2624	rundll32.exe	WerFault.exe
PID 2624 wrote to memory of 2856	2624	rundll32.exe	WerFault.exe
PID 2624 wrote to memory of 2856	2624	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a42d72de0a6f75d35da5424bbaf5ccf1ccc3990793e48f599af41110e5545e0f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a42d72de0a6f75d35da5424bbaf5ccf1ccc3990793e48f599af41110e5545e0f.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 744
3⤵
- Program crash
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 744
3⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2624 -ip 2624
1⤵
PID:3880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2624-135-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2624-134-0x0000000074C00000-0x0000000074C3F000-memory.dmp

Filesize
252KB

Download
memory/2624-136-0x0000000074C00000-0x0000000074C06000-memory.dmp

Filesize
24KB

Download