icedid | e4e4e02e3e2dec5358eab422c2bad873d816569f03df68f8372e3d25a2f05a22 | Triage

Analysis

max time kernel
4294179s
max time network
130s
platform
windows7_x64
resource
win7-20220310-en
submitted
31-03-2022 11:56

Sharing

Report Analysis Logs

General

Target

minro.exe
Size

124KB
MD5

46de3a8f04fcbed38a7d73bfc50f240a
SHA1

24dff443e7051c0c15d79ca4d47c82dc38d20ad5
SHA256

e4e4e02e3e2dec5358eab422c2bad873d816569f03df68f8372e3d25a2f05a22
SHA512

7c65bd8afd6aa3c1f9619b67c655897858d0988558faa13e7c21f6f0140bf075ab86b720196abdcfd39db328eb332d407fc3418b0c8a9dbdddf37ac1f81e3b22

Score

10^/10

icedid 1666752692 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1666752692

C2

ritionalvalueon.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/784-54-0x0000000140000000-0x000000014000B000-memory.dmp	IcedidFirstLoader

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

948 784 WerFault.exe minro.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

minro.exe

description	pid	process	target process
PID 784 wrote to memory of 948	784	minro.exe	WerFault.exe
PID 784 wrote to memory of 948	784	minro.exe	WerFault.exe
PID 784 wrote to memory of 948	784	minro.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\minro.exe
"C:\Users\Admin\AppData\Local\Temp\minro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 784 -s 32
2⤵
- Program crash
PID:948

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000140000000-0x000000014000B000-memory.dmp

Filesize
44KB

Download
memory/948-55-0x0000000000000000-mapping.dmp

Download