icedid | b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a | Triage

Analysis

max time kernel
4294182s
max time network
123s
platform
windows7_x64
resource
win7-20220310-en
submitted
22-03-2022 12:13

Sharing

Report Analysis Logs

General

Target

180000000.dll
Size

18KB
MD5

760e3d49601e0246a5f9913b3a89e04c
SHA1

4c70356161f7c316012a306289a051bc8f2e7a92
SHA256

b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a
SHA512

6c58454ae37b37ac5528dee361163bb3c5ab1015fe9666c8e81a2731c4a032747bb690bb777d2d2551b4cc023cbc33cf649e3795d5f485afef993abf4e87bdee

Score

10^/10

icedid 3546287305 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

3546287305

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1152 304 WerFault.exe regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

304 regsvr32.exe
304 regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 304 wrote to memory of 1152	304	regsvr32.exe	WerFault.exe
PID 304 wrote to memory of 1152	304	regsvr32.exe	WerFault.exe
PID 304 wrote to memory of 1152	304	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\180000000.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 304 -s 244
2⤵
- Program crash
PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-54-0x000007FEFC1E1000-0x000007FEFC1E3000-memory.dmp

Filesize
8KB

Download