icedid | 37f8114f105920f74404016ca09f80ddc95d8900ba331f0e83bae419cdc6cb5f

Analysis

Target

mu7en/documents.lnk
Size

2KB
MD5

cca15291edc87392d7c8c213ea97942e
SHA1

3b72a30211f24e4b119c812c23a6651600206551
SHA256

3cca8d1b4cfe0ebcf105621700454d0285ef1b44dfed3e3abf70060bb62aa5b4
SHA512

558eb218ab50e5b1b3bbf19798e60f4a9d9f98fe86219dd130a0620674c3a86ca10e39162e068162b55f372e16e788f37c4333c46ceee8ee66088658b78090aa

Score

10^/10

Family

icedid

Campaign

3400213397

coolnexoz.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1016 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1016 rundll32.exe
1016 rundll32.exe

flow	pid	process
2	1016	rundll32.exe

pid	process
1016	rundll32.exe
1016	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 1016	1520	cmd.exe	rundll32.exe
PID 1520 wrote to memory of 1016	1520	cmd.exe	rundll32.exe
PID 1520 wrote to memory of 1016	1520	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mu7en\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1016-88-0x0000000000000000-mapping.dmp

Download
memory/1016-92-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1520-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download