Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2022 18:37

General

  • Target

    swore/remounting.dll

  • Size

    100KB

  • MD5

    b235912cfba88b4729783cf45ffcdfec

  • SHA1

    96c2de06c29dbff408dd1503bbfb7339b51fd876

  • SHA256

    8abc47bd49bdccfc9db686068aec5732fc52fe7eb94907d96115867ab8b0d7a4

  • SHA512

    8a0a9b570442c7891ce86877a21615c794d83e7e79b2d0cadb158534d317d879d73b642a81608aa5f2bc96e4871c0fc6b93e6b7ee983ffb92cc5e0ce90de6c7c

  • SSDEEP

    1536:gZO05V5QA9tXrTMMv6OHKj2luFY0xS57B3l/ApekzDsw9BM8cpmSn0l7i59:mj/MM3A6XkbfcQin

Malware Config

Extracted

Family

icedid

Campaign

3822462527

C2

sciiultaelinoza.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\swore\remounting.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1772-132-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

  • memory/1772-138-0x00000294175E0000-0x00000294175E6000-memory.dmp

    Filesize

    24KB