Behavioral Report

max time kernel153s
max time network168s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted08-05-2022 22:46

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll

Filesize

186KB

Completed

09-05-2022 00:24

Task

behavioral2

Score

10^/10

MD5

70c7108b898eb8b6c058a7c8c2994f96

SHA1

1ecc6f1a3f069588c2b25bf130587a0e67bf0997

SHA256

48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6

SHA256

a52afc3fc1bdb105ba8667bd277bb4a61f942ac9cf8fd14d128cbd971124491cac7b7066fbafac5ad7b8a090264c817842b4ff97bfadb411cf1b9ae629487ab2

icedid banker loader trojan

Extracted

Family	icedid
C2	vernerfonbraun.pw vernerfonbraun.pw

IcedID, BokBot

Description

IcedID is a banking trojan capable of stealing credentials.

Tags

trojan banker icedid

IcedID First Stage Loader

Reported IOCs

resource	yara_rule
behavioral2/memory/1980-131-0x00000000750F0000-0x00000000750F6000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1980-132-0x00000000750F0000-0x0000000075137000-memory.dmp	IcedidFirstLoader

Blocklisted process makes network request
rundll32.exe

Reported IOCs

flow pid process

53 1980 rundll32.exe
65 1980 rundll32.exe
74 1980 rundll32.exe
85 1980 rundll32.exe

flow	pid	process
53	1980	rundll32.exe
65	1980	rundll32.exe
74	1980	rundll32.exe
85	1980	rundll32.exe

Suspicious use of WriteProcessMemory

rundll32.exe

Reported IOCs

description	pid	process	target process
PID 4652 wrote to memory of 1980	4652	rundll32.exe	rundll32.exe
PID 4652 wrote to memory of 1980	4652	rundll32.exe	rundll32.exe
PID 4652 wrote to memory of 1980	4652	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll,#1

Suspicious use of WriteProcessMemory

PID:4652

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll,#1

Blocklisted process makes network request

PID:1980

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1980-130-0x0000000000000000-mapping.dmp

Download
memory/1980-131-0x00000000750F0000-0x00000000750F6000-memory.dmp

Download
memory/1980-132-0x00000000750F0000-0x0000000075137000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Title