Analysis

  • max time kernel
    126s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2022 07:00

General

  • Target

    indecisions.db.dll

  • Size

    476KB

  • MD5

    481ad12b470dbbf517cd7c0d57853e25

  • SHA1

    724b2ad2e315d0bc0ce77f7127d77e91a22c3460

  • SHA256

    55405ffd41378e8f9cadac13bb5eac0128c332dd8993d3b8e83e1a1f412cb7fb

  • SHA512

    ec243a2fd0a1a44e7701f14a7023a7ecb575e7847614b26895cb72ad6369b93911965bdc85cffe56b2717e1353d078388fce2935cee613706adf3ad8197cdc32

  • SSDEEP

    6144:ehowRmpalgwWrQk2wT7Byq1i6qZksSiOmvQeQEe9O:emwUpalgwbtq7sq1i6qqsSIjeA

Malware Config

Extracted

Family

icedid

Campaign

3228182693

C2

tezycronam.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request ⋅ 3 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\indecisions.db.dll,#1
    Blocklisted process makes network request
    Suspicious behavior: EnumeratesProcesses
    PID:864

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                        Privilege Escalation

                          Replay Monitor

                          00:00 00:00

                          Downloads

                          • memory/864-54-0x0000000180000000-0x0000000180009000-memory.dmp
                          • memory/864-60-0x0000000000290000-0x0000000000296000-memory.dmp