Analysis

  • max time kernel
    156s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 22:46

General

  • Target

    c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll

  • Size

    186KB

  • MD5

    117704e30859c562e861b640332d7cdd

  • SHA1

    820c3d83acd046388f8e51f55ec57259f0d1d578

  • SHA256

    c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9

  • SHA512

    947cc9abd677892d9494a5f6902b6c0ac7b32c8749511c57ff0d4731ecb40fbf2e89f17739b51a2006ff9bd01d5732533059bf89359107afc732e42f885c1d8a

Malware Config

Extracted

Family

icedid

C2

vernerfonbraun.pw

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID First Stage Loader 2 IoCs
  • Blocklisted process makes network request 16 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1904-54-0x0000000000000000-mapping.dmp

  • memory/1904-55-0x0000000075401000-0x0000000075403000-memory.dmp

    Filesize

    8KB

  • memory/1904-56-0x0000000074F90000-0x0000000074F96000-memory.dmp

    Filesize

    24KB

  • memory/1904-57-0x0000000074F90000-0x0000000074FD7000-memory.dmp

    Filesize

    284KB