Analysis

  • max time kernel
    164s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-05-2022 22:46

General

  • Target

    c9c2f153c10a1ea0eb914d7902b0866960f0a58459f6f7b5fb29b479a85f3890.dll

  • Size

    186KB

  • MD5

    b3a50b17c5df922ec4a1c3019c33b9c5

  • SHA1

    3b186a01d4a8ccc905f08b0672f32a705ae8d036

  • SHA256

    c9c2f153c10a1ea0eb914d7902b0866960f0a58459f6f7b5fb29b479a85f3890

  • SHA512

    26c0814015940ebc605aae2ed96d7d77d761613451ffb8c9da8cc3f12319800574136368044d1e1f8875fab12e9c62f8bb134e4db29b581763d30547890bbce1

Malware Config

Extracted

Family

icedid

C2

vernerfonbraun.pw

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID First Stage Loader 2 IoCs
  • Blocklisted process makes network request 16 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9c2f153c10a1ea0eb914d7902b0866960f0a58459f6f7b5fb29b479a85f3890.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9c2f153c10a1ea0eb914d7902b0866960f0a58459f6f7b5fb29b479a85f3890.dll,#1
      2⤵
      • Blocklisted process makes network request
      PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1984-54-0x0000000000000000-mapping.dmp

  • memory/1984-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

    Filesize

    8KB

  • memory/1984-56-0x0000000075580000-0x00000000755C7000-memory.dmp

    Filesize

    284KB

  • memory/1984-57-0x0000000075580000-0x0000000075586000-memory.dmp

    Filesize

    24KB