icedid | 214a1fe5ec01b87f0021e673ca5b15c82eab2285b75fbbd6b3850d00168da487 | Triage

Analysis

max time kernel
4294185s
max time network
123s
platform
windows7_x64
resource
win7-20220310-en
submitted
30-03-2022 00:33

Sharing

Report Analysis Logs

General

Target

minro.exe
Size

124KB
MD5

6187867745754121e5b29c16e05e6164
SHA1

daeb28c0e2db1dd78caff0d4b9d863d1f8656e47
SHA256

617e0f57f4283ca044003326663b5614d66f97e16bccdd8bec1321fad44a7195
SHA512

88b04366e121c02bd6f74f1ff5f305a87e91eb97b00ee4dbbe84761e407e26b3af262b84f9f47fc87a7277c334106a93bd7ba75a1a40f3b82b6c0f418adb3d02

Score

10^/10

icedid 1666752692 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1666752692

C2

ritionalvalueon.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1040-54-0x0000000140000000-0x000000014000B000-memory.dmp	IcedidFirstLoader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1740 1040 WerFault.exe minro.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

minro.exe

description	pid	process	target process
PID 1040 wrote to memory of 1740	1040	minro.exe	WerFault.exe
PID 1040 wrote to memory of 1740	1040	minro.exe	WerFault.exe
PID 1040 wrote to memory of 1740	1040	minro.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\minro.exe
"C:\Users\Admin\AppData\Local\Temp\minro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1040 -s 32
2⤵
- Program crash
PID:1740

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-54-0x0000000140000000-0x000000014000B000-memory.dmp

Filesize
44KB

Download
memory/1740-55-0x0000000000000000-mapping.dmp

Download