icedid | eabb48d4dec84f7d9388a92a36af6b5bba304e923de9a7e6fe75647dabefaeb0 | Triage

Analysis

max time kernel
110s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
24-03-2022 19:21

Sharing

Report Analysis Logs

General

Target

eabb48d4dec84f7d9388a92a36af6b5bba304e923de9a7e6fe75647dabefaeb0.dll
Size

294KB
MD5

3a8ed5a39a654878a09fc589acc7576d
SHA1

6acec0cf2e53d5236c4b5a8841a24e497e0920e7
SHA256

eabb48d4dec84f7d9388a92a36af6b5bba304e923de9a7e6fe75647dabefaeb0
SHA512

b71c447c43ee7813984f6c0ec49ced2065346797d84ae998d391b704488ffb62da8a4bf8471c3558710d4dfcd8413c0545a826eae5b9bab05452d9ac81893708

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/632-135-0x0000000074EC0000-0x0000000074EC9000-memory.dmp	IcedidFirstLoader
behavioral2/memory/632-136-0x0000000074EC0000-0x0000000074F1F000-memory.dmp	IcedidFirstLoader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3880 632 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3112 wrote to memory of 632	3112	rundll32.exe	rundll32.exe
PID 3112 wrote to memory of 632	3112	rundll32.exe	rundll32.exe
PID 3112 wrote to memory of 632	3112	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eabb48d4dec84f7d9388a92a36af6b5bba304e923de9a7e6fe75647dabefaeb0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eabb48d4dec84f7d9388a92a36af6b5bba304e923de9a7e6fe75647dabefaeb0.dll,#1
2⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 620
3⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 632 -ip 632
1⤵
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-134-0x0000000000000000-mapping.dmp

Download
memory/632-135-0x0000000074EC0000-0x0000000074EC9000-memory.dmp

Filesize
36KB

Download
memory/632-136-0x0000000074EC0000-0x0000000074F1F000-memory.dmp

Filesize
380KB

Download