Resubmissions

04-05-2022 07:03

220504-hvm1wadca2 10

03-05-2022 20:59

220503-zsw97sceg2 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-05-2022 07:03

General

  • Target

    f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48.dll

  • Size

    148KB

  • MD5

    bd9df65ccb0f5dda832c56979a33929f

  • SHA1

    bccdaeef6f5185f8c41f9feafc743f7a5b56ed14

  • SHA256

    f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48

  • SHA512

    ab378d7910c16899f4ede8c12555d629ce4412d68ad7f1cda6e4b88f827b9f44d2438336c3db51b7705146d5ea852961dbe488281f83e4dc0faa7e67ef3af3f1

Malware Config

Extracted

Family

icedid

Botnet

1076950734

C2

justiceminister.best

fivejudgescatholic.cyou

Attributes
  • auth_var

    3

  • url_path

    /audio/

Extracted

Family

icedid

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID Second Stage Loader 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f95a8ceb27ce17f5d159d75690fcb1628bf9528331aef2ffe3dac02712b67e48.dll,#1
      2⤵
        PID:4828

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4828-130-0x0000000000000000-mapping.dmp
    • memory/4828-131-0x0000000075430000-0x0000000075436000-memory.dmp
      Filesize

      24KB

    • memory/4828-132-0x0000000075430000-0x0000000075469000-memory.dmp
      Filesize

      228KB