icedid | 31dde4fbe6f38f5bb725258a88d6d043db03517be3538b66eb94ad87c108345e | Triage

Analysis

max time kernel
4294180s
max time network
122s
platform
windows7_x64
resource
win7-20220310-en
submitted
21-03-2022 19:25

Sharing

Report Analysis Logs

General

Target

dart.dll
Size

148KB
MD5

b20d49ba5d4c4a6e089b895de8949279
SHA1

8f23d9a24ba792706ca19d633f6a925e311670d6
SHA256

db5cabe22595607a408fa30bdf288c0992bff836d2e62f6de98d8757f9805e9b
SHA512

7c45c6565e9e55e9473c707c2001459140016d4133cba5df5083961d6b93d3756ee4a239be5d4c25aa22351f713fb3b564397994d7124a624358f2fbe7e4a540

Score

10^/10

icedid 3546287305 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3546287305

C2

oceriesfornot.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

240 1752 WerFault.exe regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1752 regsvr32.exe
1752 regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1752 wrote to memory of 240	1752	regsvr32.exe	WerFault.exe
PID 1752 wrote to memory of 240	1752	regsvr32.exe	WerFault.exe
PID 1752 wrote to memory of 240	1752	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dart.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1752 -s 256
2⤵
- Program crash
PID:240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1752-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1752-55-0x0000000180000000-0x000000018000B000-memory.dmp

Filesize
44KB

Download