Analysis

  • max time kernel
    153s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-05-2022 22:46

General

  • Target

    48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll

  • Size

    186KB

  • MD5

    70c7108b898eb8b6c058a7c8c2994f96

  • SHA1

    1ecc6f1a3f069588c2b25bf130587a0e67bf0997

  • SHA256

    48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6

  • SHA512

    a52afc3fc1bdb105ba8667bd277bb4a61f942ac9cf8fd14d128cbd971124491cac7b7066fbafac5ad7b8a090264c817842b4ff97bfadb411cf1b9ae629487ab2

Malware Config

Extracted

Family

icedid

C2

vernerfonbraun.pw

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID First Stage Loader ⋅ 2 IoCs
  • Blocklisted process makes network request ⋅ 4 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll,#1
    Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\48e69f94c801c87dc65c445d2a61398bc0708e41c78ef70a041d700f32a1dce6.dll,#1
      Blocklisted process makes network request
      PID:1980

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/1980-130-0x0000000000000000-mapping.dmp
                          • memory/1980-131-0x00000000750F0000-0x00000000750F6000-memory.dmp
                          • memory/1980-132-0x00000000750F0000-0x0000000075137000-memory.dmp