icedid | c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9 | Triage

Analysis

max time kernel
197s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 22:46

Sharing

Report Analysis Logs

General

Target

c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll
Size

186KB
MD5

117704e30859c562e861b640332d7cdd
SHA1

820c3d83acd046388f8e51f55ec57259f0d1d578
SHA256

c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9
SHA512

947cc9abd677892d9494a5f6902b6c0ac7b32c8749511c57ff0d4731ecb40fbf2e89f17739b51a2006ff9bd01d5732533059bf89359107afc732e42f885c1d8a

Score

10^/10

icedid banker loader trojan

Malware Config

Extracted

Family

icedid

C2

vernerfonbraun.pw

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2892-131-0x0000000075850000-0x0000000075856000-memory.dmp	IcedidFirstLoader
behavioral2/memory/2892-132-0x0000000075850000-0x0000000075897000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

55 2892 rundll32.exe
69 2892 rundll32.exe
72 2892 rundll32.exe
74 2892 rundll32.exe
89 2892 rundll32.exe
91 2892 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3408 wrote to memory of 2892	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 2892	3408	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 2892	3408	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6dec41788f2e709c8908e0e934a20b5b8a6712dc742bdac4bb4131bfa6ee2f9.dll,#1
2⤵
- Blocklisted process makes network request
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2892-130-0x0000000000000000-mapping.dmp

Download
memory/2892-131-0x0000000075850000-0x0000000075856000-memory.dmp

Filesize
24KB

Download
memory/2892-132-0x0000000075850000-0x0000000075897000-memory.dmp

Filesize
284KB

Download