icedid | 430c736b3112dae51f0e93ac1120549a6cb453b52f6036e1d086a93afefc858b

Analysis

Target

documents.lnk
Size

1KB
MD5

fb7d17b5ec787f604a1c1a444ac13c03
SHA1

a72296fd3b7d5225a368ae3be57db9209315e1d7
SHA256

4ed0e46236e39c6efe3f1f96d6a1e3a5cc60b7bcfabe560823b141dcef4c66de
SHA512

1ffc5007e14aaacb9cafd31614a7f8fc9654f3c655cb5c167dd10c0a79e4703db902763ddaaabd8277e2c4849bbcabf30587123708e24343815874e61109ae1a

Score

10^/10

Family

icedid

Campaign

3068011852

yolneanz.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 936 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

936 rundll32.exe
936 rundll32.exe

flow	pid	process
2	936	rundll32.exe

pid	process
936	rundll32.exe
936	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 936	1172	cmd.exe	rundll32.exe
PID 1172 wrote to memory of 936	1172	cmd.exe	rundll32.exe
PID 1172 wrote to memory of 936	1172	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1172

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/936-88-0x0000000000000000-mapping.dmp

Download
memory/936-92-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1172-54-0x000007FEFBBD1000-0x000007FEFBBD3000-memory.dmp

Filesize
8KB

Download