icedid | 602401d67bdfeb52272b4efb68ce04ecdb64899fc80c3becca7af2be720f7b21 | Triage

Analysis

max time kernel
126s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
30-03-2022 00:19

Sharing

Report Analysis Logs

General

Target

602401d67bdfeb52272b4efb68ce04ecdb64899fc80c3becca7af2be720f7b21.dll
Size

346KB
MD5

ab202b9a0ba99317d3e694895386bfc7
SHA1

dfa69c460e20615192212cc781c6a6011190c310
SHA256

602401d67bdfeb52272b4efb68ce04ecdb64899fc80c3becca7af2be720f7b21
SHA512

863814222aea2310240a5febbcdf15f769079ab143262cfeae2b794a851df90162045bde5669747c6b3fc35330463840b2b26253bab28d59f1c4c76572a154ab

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1816-131-0x00000000753E0000-0x00000000753E6000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1660 wrote to memory of 1816	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1816	1660	regsvr32.exe	regsvr32.exe
PID 1660 wrote to memory of 1816	1660	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\602401d67bdfeb52272b4efb68ce04ecdb64899fc80c3becca7af2be720f7b21.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\602401d67bdfeb52272b4efb68ce04ecdb64899fc80c3becca7af2be720f7b21.dll
2⤵
PID:1816

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-130-0x0000000000000000-mapping.dmp

Download
memory/1816-131-0x00000000753E0000-0x00000000753E6000-memory.dmp

Filesize
24KB

Download