icedid | 3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109

Analysis

Target

kxFFt5.dll
Size

718KB
MD5

5a0e570b13623c79c9261a8a2cc41f04
SHA1

10f6f208907d25f5ec39060a8576ed8387d42c0e
SHA256

3dfe63d2c9a7e2f848d2f92171cc577158318b4e9cb62e74ec603be84ba13109
SHA512

bbe98f12bbcc0820b98c329df11b20ee69cf49300c31948462978b5d9b398f62374bd2075247c87c3f916ceae89ba1e7a8bd0b76b1e3747345f12f5cb25e2c70

Score

10^/10

Family

icedid

Campaign

109932505

ilekvoyn.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

regsvr32.exepowershell.exeregsvr32.exe

pid process

3040 regsvr32.exe
3040 regsvr32.exe
3184 powershell.exe
3184 powershell.exe
3184 powershell.exe
3872 regsvr32.exe
3872 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3184 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3040 regsvr32.exe
3872 regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	3184	powershell.exe

pid	process
3040	regsvr32.exe
3872	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 3184 wrote to memory of 5012	3184	powershell.exe	cmd.exe
PID 3184 wrote to memory of 5012	3184	powershell.exe	cmd.exe
PID 5012 wrote to memory of 3872	5012	cmd.exe	regsvr32.exe
PID 5012 wrote to memory of 3872	5012	cmd.exe	regsvr32.exe

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5012

memory/3040-117-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3184-128-0x00000224FB3E0000-0x00000224FB402000-memory.dmp

Filesize
136KB

Download
memory/3184-149-0x00000224FB550000-0x00000224FB58C000-memory.dmp

Filesize
240KB

Download
memory/3184-160-0x00000224FBAA0000-0x00000224FBB16000-memory.dmp

Filesize
472KB

Download
memory/3872-203-0x0000000000000000-mapping.dmp

Download
memory/5012-200-0x0000000000000000-mapping.dmp

Download