General
Target

48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll

Filesize

186KB

Completed

09-05-2022 00:25

Task

behavioral1

Score
10/10
MD5

70c7108b898eb8b6c058a7c8c2994f96

SHA1

1ecc6f1a3f069588c2b25bf130587a0e67bf0997

SHA256

48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6

SHA256

a52afc3fc1bdb105ba8667bd277bb4a61f942ac9cf8fd14d128cbd971124491cac7b7066fbafac5ad7b8a090264c817842b4ff97bfadb411cf1b9ae629487ab2

Malware Config

Extracted

Family

icedid

C2

vernerfonbraun.pw

Signatures 4

Filter: none

  • IcedID, BokBot

    Description

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID First Stage Loader

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1652-56-0x0000000074680000-0x0000000074686000-memory.dmpIcedidFirstLoader
    behavioral1/memory/1652-57-0x0000000074680000-0x00000000746C7000-memory.dmpIcedidFirstLoader
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    31652rundll32.exe
    41652rundll32.exe
    61652rundll32.exe
    71652rundll32.exe
    101652rundll32.exe
    111652rundll32.exe
    131652rundll32.exe
    151652rundll32.exe
    171652rundll32.exe
    181652rundll32.exe
    191652rundll32.exe
    201652rundll32.exe
    221652rundll32.exe
    231652rundll32.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
    PID 1644 wrote to memory of 16521644rundll32.exerundll32.exe
Processes 2
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll,#1
      Blocklisted process makes network request
      PID:1652
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1652-54-0x0000000000000000-mapping.dmp

                          • memory/1652-55-0x0000000075871000-0x0000000075873000-memory.dmp

                          • memory/1652-56-0x0000000074680000-0x0000000074686000-memory.dmp

                          • memory/1652-57-0x0000000074680000-0x00000000746C7000-memory.dmp