icedid | ce28d57c54d4b5965106d956d3d3c0211c1dd591c881f34f3582775b07dce387

Analysis

Target

documents.lnk
Size

2KB
MD5

248322abe291aa979c34ee5f9bd76e70
SHA1

fdfa1670324e951e44736b75b4c12d7aac1a4338
SHA256

518a3f0b6e5709fcf44b04208167a51f77e4c82283f71b800a6faf297431f36c
SHA512

a37819e37d2b93c2043c21339a81ddd7dcc43f933cad369313efe45fee9e51f51e30556455d1e720071f60596d298c594b789e4a1b4fdc104cc903df2c684805

Score

10^/10

Family

icedid

Campaign

1328647508

didojanza.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 812 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

812 rundll32.exe
812 rundll32.exe

flow	pid	process
2	812	rundll32.exe

pid	process
812	rundll32.exe
812	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 812	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 812	1260	cmd.exe	rundll32.exe
PID 1260 wrote to memory of 812	1260	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/812-88-0x0000000000000000-mapping.dmp

Download
memory/812-92-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1260-54-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download