icedid | 5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b

Target

document.lnk
Size

1KB
MD5

adf0907a6114c2b55349c08251efdf50
SHA1

aa25ae2f9dbe514169f4526ef4a61c1feeb1386a
SHA256

3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
SHA512

12d8f47079c712c0fd231ddb5dd7669e1345a3c1f531732b5ecb35895c98acbfb7a5fa49ca63e71084378355646baaa7bf8b3e10edaddf71d58a7ccde9c7f896

Score

10^/10

Malware Config

Family

icedid

Campaign

3529509686

oceriesfornot.top

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1000 rundll32.exe
1000 rundll32.exe

pid	process
1000	rundll32.exe
1000	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 1000	1784	cmd.exe	rundll32.exe
PID 1784 wrote to memory of 1000	1784	cmd.exe	rundll32.exe
PID 1784 wrote to memory of 1000	1784	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\document.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" dar.dll,DllRegisterServer
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1000-88-0x0000000000000000-mapping.dmp

Download
memory/1000-92-0x0000000180000000-0x000000018000B000-memory.dmp

Filesize
44KB

Download
memory/1784-54-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download