icedid | 9806282c9cc2b05181409cd60c2e27922857916eff912f5a3424b5bec61dcc9f

Analysis

max time kernel
133s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 09:51

Target

52Ihqms5.dll
Size

452KB
MD5

468b18187b0d570102888585c18995c2
SHA1

a4ac663e32f19e69d6cf271143fb9651897c844f
SHA256

9806282c9cc2b05181409cd60c2e27922857916eff912f5a3424b5bec61dcc9f
SHA512

e3eafc3da3a6b3a17bfad6944d92cc56dd15ebd7b8b59da74380ea01878dd2d07a8318882fd9e440776857182b2f18f4de03fead6fafa2bc19fc3f8df389f768
SSDEEP

6144:McwOnhu0n/yvHtFxTv80J0TET7FWQ+ItFMu5P1rh/I9I1ezFxsbxBFtfCnYL635y:MkyfS0Gn21epxsvqYL85o3

Score

10^/10

Family

icedid

Campaign

775636601

aviadronazhed.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1752 rundll32.exe
1752 rundll32.exe

pid	process
1752	rundll32.exe
1752	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1812	AUDIODG.EXE
Token: 33	1812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1812	AUDIODG.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\52Ihqms5.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

memory/316-61-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

Filesize
8KB

Download
memory/1752-54-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1752-60-0x0000000000110000-0x0000000000116000-memory.dmp

Filesize
24KB

Download