icedid | dc11495140fc315205e536c512bb208dc1c0db080ca163251bed2f511a8893ad

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
06-07-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.lnk
Size

2KB
MD5

73a8d2488fda1347130de9f0efec4f6b
SHA1

e5bc7521dbfe149fa8f6df6a0ce5e5d99223a3d0
SHA256

2254ed69e23e3f357b4283a055d0841d77c298c30052113b8e4a841d5b5b66ab
SHA512

d2003816e2e8114e4c5f8aec410c6694d733b818d63d66b4a1d8bd78bf25eba8cb5f3f260efee8709322031475796e9ef7a835928fbdb27a9c6cb8fbe6e97130

Score

10^/10

icedid 1044021123 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

1044021123

carismorth.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1532 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1532 rundll32.exe
1532 rundll32.exe

flow	pid	process
2	1532	rundll32.exe

pid	process
1532	rundll32.exe
1532	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 1960	1424	cmd.exe	cmd.exe
PID 1424 wrote to memory of 1960	1424	cmd.exe	cmd.exe
PID 1424 wrote to memory of 1960	1424	cmd.exe	cmd.exe
PID 1960 wrote to memory of 1532	1960	cmd.exe	rundll32.exe
PID 1960 wrote to memory of 1532	1960	cmd.exe	rundll32.exe
PID 1960 wrote to memory of 1532	1960	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start rundll32.exe hertbe.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\rundll32.exe
rundll32.exe hertbe.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-54-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download
memory/1532-90-0x0000000000000000-mapping.dmp

Download
memory/1532-93-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1960-88-0x0000000000000000-mapping.dmp

Download