icedid | 0107f3408025d36643aace44f1133ab57dfdc9b5c34587c8807ed89455fb127c | Triage

Analysis

max time kernel
4294203s
max time network
151s
platform
windows7_x64
resource
win7-20220310-en
submitted
14-04-2022 12:59

Sharing

Report Analysis Logs

General

Target

0107f3408025d36643aace44f1133ab57dfdc9b5c34587c8807ed89455fb127c.dll
Size

208KB
MD5

e0228d9c1c1f2fff98b7227ca59df4ba
SHA1

583c0f058ac3a0abb3ad012d1abb6e7365758dc7
SHA256

0107f3408025d36643aace44f1133ab57dfdc9b5c34587c8807ed89455fb127c
SHA512

decf7025a958d291b3b39638285dfe3e4cd358edf6554979afd920c03246683b99a8c7c125aa1c67105d4b3b29cd58ebfc4bd1b287f2d7d254fb710e08da2a41

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

ldrvals.casa

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/952-58-0x0000000010000000-0x000000001010E000-memory.dmp	IcedidFirstLoader
behavioral1/memory/952-57-0x0000000010000000-0x0000000010006000-memory.dmp	IcedidFirstLoader

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe
PID 1800 wrote to memory of 952	1800	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0107f3408025d36643aace44f1133ab57dfdc9b5c34587c8807ed89455fb127c.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0107f3408025d36643aace44f1133ab57dfdc9b5c34587c8807ed89455fb127c.dll
2⤵
PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-55-0x0000000000000000-mapping.dmp

Download
memory/952-56-0x00000000766A1000-0x00000000766A3000-memory.dmp

Filesize
8KB

Download
memory/952-58-0x0000000010000000-0x000000001010E000-memory.dmp

Filesize
1.1MB

Download
memory/952-57-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1800-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download