icedid | c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9 | Triage

Analysis

max time kernel
156s
max time network
181s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 22:46

Sharing

Report Analysis Logs

General

Target

c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll
Size

186KB
MD5

117704e30859c562e861b640332d7cdd
SHA1

820c3d83acd046388f8e51f55ec57259f0d1d578
SHA256

c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9
SHA512

947cc9abd677892d9494a5f6902b6c0ac7b32c8749511c57ff0d4731ecb40fbf2e89f17739b51a2006ff9bd01d5732533059bf89359107afc732e42f885c1d8a

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

vernerfonbraun.pw

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1904-56-0x0000000074F90000-0x0000000074F96000-memory.dmp	IcedidFirstLoader
behavioral1/memory/1904-57-0x0000000074F90000-0x0000000074FD7000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 16 IoCs

Processes:

rundll32.exe

flow	pid	process
3	1904	rundll32.exe
4	1904	rundll32.exe
6	1904	rundll32.exe
7	1904	rundll32.exe
10	1904	rundll32.exe
11	1904	rundll32.exe
13	1904	rundll32.exe
15	1904	rundll32.exe
17	1904	rundll32.exe
18	1904	rundll32.exe
20	1904	rundll32.exe
21	1904	rundll32.exe
23	1904	rundll32.exe
24	1904	rundll32.exe
26	1904	rundll32.exe
27	1904	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1904	1952	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll,#1
2⤵
- Blocklisted process makes network request
PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-54-0x0000000000000000-mapping.dmp

Download
memory/1904-55-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1904-56-0x0000000074F90000-0x0000000074F96000-memory.dmp

Filesize
24KB

Download
memory/1904-57-0x0000000074F90000-0x0000000074FD7000-memory.dmp

Filesize
284KB

Download