icedid | e5451e56bbadaf208e57ce1562edfeeae1f7eae2b6fe8d0a92cf29e48cfafa7c

Analysis

Target

documents.lnk
Size

2KB
MD5

77e1106d0ee3c074c5aa94663e62ca8c
SHA1

5149a36f2934cbe44a7066e96756d4ecb7a65cbd
SHA256

4633c5e89c5c9e60c3609dfb7f5ca1f0794c2b84c3468cdc2129d942d4e09cf3
SHA512

8644ef5ca3082bf4f062e53bdba5231f5b010c90fae919bb76f16dc46dae10a76e3ef94dca6d6ae709b4aaeb39b80eedbdc41298fc8d561e0561a51cde9575e6

Score

10^/10

Family

icedid

Campaign

3652318967

yankyhoni.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1048 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1048 rundll32.exe
1048 rundll32.exe

flow	pid	process
2	1048	rundll32.exe

pid	process
1048	rundll32.exe
1048	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1412 wrote to memory of 1048	1412	cmd.exe	rundll32.exe
PID 1412 wrote to memory of 1048	1412	cmd.exe	rundll32.exe
PID 1412 wrote to memory of 1048	1412	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1412

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1048-88-0x0000000000000000-mapping.dmp

Download
memory/1048-92-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1412-54-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download