icedid | f95820ae9d959af31b3fe84a944223075f4a4bfa7b736a0b78afb5f0ad858b28

Analysis

max time kernel
142s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scandocument-ae95fa46-3120-423a-a996-4352e929a15d.lnk
Size

1KB
MD5

b5113092d6fb6c1a102c89f639dd4e5f
SHA1

8b160db8a0097aab72188556eb524310761d8e17
SHA256

1a594552a35cdf773f62f0490668aaa749e1dc8ca1daa986133328934bac78e0
SHA512

7de10ffbc42dae217705ec09eb165c2e27449795d84d9af07e17740886bdf9b86cac8656669b5012627a8aefa34d41a3ce8444ffe341c58e321751ca4b53c403

Score

10^/10

icedid 976968029 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

976968029

triskawilko.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 1380 rundll32.exe
4 1380 rundll32.exe
5 1380 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1380 rundll32.exe
1380 rundll32.exe

flow	pid	process
2	1380	rundll32.exe
4	1380	rundll32.exe
5	1380	rundll32.exe

pid	process
1380	rundll32.exe
1380	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 1192	1532	cmd.exe	cmd.exe
PID 1532 wrote to memory of 1192	1532	cmd.exe	cmd.exe
PID 1532 wrote to memory of 1192	1532	cmd.exe	cmd.exe
PID 1192 wrote to memory of 1380	1192	cmd.exe	rundll32.exe
PID 1192 wrote to memory of 1380	1192	cmd.exe	rundll32.exe
PID 1192 wrote to memory of 1380	1192	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\scandocument-ae95fa46-3120-423a-a996-4352e929a15d.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start 162d3f31-6016-4ade-a866-04f42232c604.png && start ru^n^d^l^l3^2 8db1b77a-4fcd-4078-a901-f0cf9c198c52.2Pz,PluginInit
2⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\system32\rundll32.exe
rundll32 8db1b77a-4fcd-4078-a901-f0cf9c198c52.2Pz,PluginInit
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-89-0x0000000000000000-mapping.dmp

Download
memory/1192-143-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/1380-144-0x0000000000000000-mapping.dmp

Download
memory/1380-146-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1380-152-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/1532-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download