icedid | ef20adb4d51e9ed26be444d668e624f63581c6ef8ba773a6afddc6cd333a372b | Triage

Analysis

max time kernel
68s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
30-03-2022 00:17

Sharing

Report Analysis Logs

General

Target

ef20adb4d51e9ed26be444d668e624f63581c6ef8ba773a6afddc6cd333a372b.dll
Size

346KB
MD5

19c66119587eab8e996f06a528e5445c
SHA1

606da251f6a352df68c9848461c8c2152b5a878e
SHA256

ef20adb4d51e9ed26be444d668e624f63581c6ef8ba773a6afddc6cd333a372b
SHA512

22ccf8daf5e6df71db941a4b3faf699fabf21a7c595bad9f5f25d14eed6e4c3fe60fdd38439d3ba7dd59e7c2b5727d38440c0b7e45f2fdf167e3e6f684ac5672

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1372-125-0x0000000075680000-0x0000000075686000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1580 wrote to memory of 1372	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1372	1580	regsvr32.exe	regsvr32.exe
PID 1580 wrote to memory of 1372	1580	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef20adb4d51e9ed26be444d668e624f63581c6ef8ba773a6afddc6cd333a372b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ef20adb4d51e9ed26be444d668e624f63581c6ef8ba773a6afddc6cd333a372b.dll
2⤵
PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-124-0x0000000000000000-mapping.dmp

Download
memory/1372-125-0x0000000075680000-0x0000000075686000-memory.dmp

Filesize
24KB

Download