icedid | dc11495140fc315205e536c512bb208dc1c0db080ca163251bed2f511a8893ad

Analysis

max time kernel
91s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-07-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.lnk
Size

2KB
MD5

73a8d2488fda1347130de9f0efec4f6b
SHA1

e5bc7521dbfe149fa8f6df6a0ce5e5d99223a3d0
SHA256

2254ed69e23e3f357b4283a055d0841d77c298c30052113b8e4a841d5b5b66ab
SHA512

d2003816e2e8114e4c5f8aec410c6694d733b818d63d66b4a1d8bd78bf25eba8cb5f3f260efee8709322031475796e9ef7a835928fbdb27a9c6cb8fbe6e97130

Score

10^/10

icedid 1044021123 banker loader suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

1044021123

carismorth.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

13 4728 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4728 rundll32.exe
4728 rundll32.exe

flow	pid	process
13	4728	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4728	rundll32.exe
4728	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4164 wrote to memory of 4104	4164	cmd.exe	cmd.exe
PID 4164 wrote to memory of 4104	4164	cmd.exe	cmd.exe
PID 4104 wrote to memory of 4728	4104	cmd.exe	rundll32.exe
PID 4104 wrote to memory of 4728	4104	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start rundll32.exe hertbe.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\rundll32.exe
rundll32.exe hertbe.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4104-130-0x0000000000000000-mapping.dmp

Download
memory/4728-131-0x0000000000000000-mapping.dmp

Download
memory/4728-132-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download