icedid | ca570a986de6c604f66b9a08774e38cc17b2b97563b73d7cb0898f2cc7f98b9a | Triage

Analysis

max time kernel
4294178s
max time network
122s
platform
windows7_x64
resource
win7-20220311-en
submitted
30-03-2022 15:52

Sharing

Report Analysis Logs

General

Target

minro.exe
Size

124KB
MD5

ce1539475ce2370e67ff45868f1cb716
SHA1

e034a40c372166b03e9aa3c72cb48f078517c64c
SHA256

ca570a986de6c604f66b9a08774e38cc17b2b97563b73d7cb0898f2cc7f98b9a
SHA512

b2fc10cf7ccd7c24cfc7246ed6face81b1076d215f1464abce381d8237062961ccbf796897cd0012ca6af662f22de4220ad36183834161fe8be52aac281c5abf

Score

10^/10

icedid 1666752692 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1666752692

C2

ritionalvalueon.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1168-54-0x0000000000020000-0x000000000002B000-memory.dmp	IcedidFirstLoader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1800 1168 WerFault.exe minro.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

minro.exe

description	pid	process	target process
PID 1168 wrote to memory of 1800	1168	minro.exe	WerFault.exe
PID 1168 wrote to memory of 1800	1168	minro.exe	WerFault.exe
PID 1168 wrote to memory of 1800	1168	minro.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\minro.exe
"C:\Users\Admin\AppData\Local\Temp\minro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1168 -s 32
2⤵
- Program crash
PID:1800

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-54-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/1800-55-0x0000000000000000-mapping.dmp

Download