icedid | 17aeebe6c1098a312074b0fdeae6f97339f2d64d66a2b07496bfc1373694a4e3 | Triage

Analysis

max time kernel
4294179s
max time network
121s
platform
windows7_x64
resource
win7-20220311-en
submitted
23-03-2022 18:23

Sharing

Report Analysis Logs

General

Target

dar.dll
Size

142KB
MD5

1469ce7ec910ec525d86acbc5cee9858
SHA1

5339edc96e8071258c0615b2de09df40ac79a8dc
SHA256

17aeebe6c1098a312074b0fdeae6f97339f2d64d66a2b07496bfc1373694a4e3
SHA512

6785695744c06594e6651a601710a48e54a744333bd3d1e39f3bed1408d8d0a8e91229fc79ee453fc7feed1bfe8e01a4aef91237e742b98b416c39e1788d144a

Score

10^/10

icedid 429479428 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

429479428

C2

arelyevennot.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

468 1888 WerFault.exe regsvr32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

1888 regsvr32.exe
1888 regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1888 wrote to memory of 468	1888	regsvr32.exe	WerFault.exe
PID 1888 wrote to memory of 468	1888	regsvr32.exe	WerFault.exe
PID 1888 wrote to memory of 468	1888	regsvr32.exe	WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\dar.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1888 -s 244
2⤵
- Program crash
PID:468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-61-0x0000000000000000-mapping.dmp

Download
memory/1888-54-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1888-55-0x0000000180000000-0x000000018000B000-memory.dmp

Filesize
44KB

Download