icedid | 052d37a666116008895fa77490ae8249adb74fa9fff4c1e821aaed9dd3f2acb5

Analysis

Target

NCwXdqaN.dll
Size

649KB
MD5

dfbb1127fc30a15f8769085216c85709
SHA1

a6271f1935f98209e5a6d5364f52c3eae1de00f6
SHA256

052d37a666116008895fa77490ae8249adb74fa9fff4c1e821aaed9dd3f2acb5
SHA512

9c847477be339fcec98b8e0cfc38eb8734e51516f67f791e5911c577e5e66eeac873ece047185c6ad431f01b98ba9a407e48eb428a5a9bad09ced10d679bd482

Score

10^/10

Family

icedid

Campaign

3400213397

coolnexoz.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata

Blocklisted process makes network request 13 IoCs

Processes:

rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

3820 powershell.exe
3820 powershell.exe
3820 powershell.exe
3032 rundll32.exe
3032 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3820 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3820	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 1164	3820	powershell.exe	cmd.exe
PID 3820 wrote to memory of 1164	3820	powershell.exe	cmd.exe
PID 1164 wrote to memory of 3032	1164	cmd.exe	rundll32.exe
PID 1164 wrote to memory of 3032	1164	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NCwXdqaN.dll,#1
1⤵
PID:1696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

memory/1164-169-0x0000000000000000-mapping.dmp

Download
memory/3032-172-0x0000000000000000-mapping.dmp

Download
memory/3032-173-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3820-121-0x000001522C5B0000-0x000001522C5D2000-memory.dmp

Filesize
136KB

Download
memory/3820-142-0x000001522CB60000-0x000001522CB9C000-memory.dmp

Filesize
240KB

Download
memory/3820-153-0x000001522CC20000-0x000001522CC96000-memory.dmp

Filesize
472KB

Download