icedid | e3d8e33c28f16e25e4f8f5b047d8bb68e10f789da382dbe5873cd55a3ed1de27 | Triage

Analysis

max time kernel
102s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
26-03-2022 09:27

Sharing

Report Analysis Logs

General

Target

e3d8e33c28f16e25e4f8f5b047d8bb68e10f789da382dbe5873cd55a3ed1de27.dll
Size

346KB
MD5

9d93c2049216ee836046cae8500bd504
SHA1

8a4125e842d831477bd4a464bb24b12c726ef612
SHA256

e3d8e33c28f16e25e4f8f5b047d8bb68e10f789da382dbe5873cd55a3ed1de27
SHA512

1bf6e442f66bb7a4e22f2d02aa81bcfce9ca31da0e3772fcdbc81100f38e69ceeca6e31a5c0635d1239f4b3845192f113ab8c41e9510f03d10a36986639d164c

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2428-135-0x0000000075210000-0x0000000075216000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 4608 wrote to memory of 2428	4608	regsvr32.exe	regsvr32.exe
PID 4608 wrote to memory of 2428	4608	regsvr32.exe	regsvr32.exe
PID 4608 wrote to memory of 2428	4608	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e3d8e33c28f16e25e4f8f5b047d8bb68e10f789da382dbe5873cd55a3ed1de27.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e3d8e33c28f16e25e4f8f5b047d8bb68e10f789da382dbe5873cd55a3ed1de27.dll
2⤵
PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-134-0x0000000000000000-mapping.dmp

Download
memory/2428-135-0x0000000075210000-0x0000000075216000-memory.dmp

Filesize
24KB

Download