icedid | 738cc370a87bc239568ff5f047abea91bdef59d20df8f518dba7fe4e845cd3f5

Analysis

max time kernel
140s
max time network
180s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IRS_Form_12-01-9/Scan.lnk
Size

2KB
MD5

cd9141a0adf67b09758fea89e78ccac1
SHA1

86c34a4fb3f6e045ef5744cd1093d2de0e9ca04f
SHA256

1398d020e2dd025cc4821ea4432ae219fa556d1cb597287c3c85bc74802f3b61
SHA512

f0a5066410ef1d5dd256df8449f11a99d6d0823278da53e8add2c6a2b4d9e5f6e6509335117b13d06c31fef4c8f56681c328c616accd5e8386829ecc73f9bcdd

Score

10^/10

icedid 2271535685 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

2271535685

babysoftletirs.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

3 1116 rundll32.exe
4 1116 rundll32.exe
5 1116 rundll32.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1116 rundll32.exe
1116 rundll32.exe
1116 rundll32.exe
1116 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1116 rundll32.exe
1116 rundll32.exe

flow	pid	process
3	1116	rundll32.exe
4	1116	rundll32.exe
5	1116	rundll32.exe

pid	process
1116	rundll32.exe
1116	rundll32.exe
1116	rundll32.exe
1116	rundll32.exe

pid	process
1116	rundll32.exe
1116	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 1848	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 1848	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 1848	1276	cmd.exe	cmd.exe
PID 1848 wrote to memory of 920	1848	cmd.exe	xcopy.exe
PID 1848 wrote to memory of 920	1848	cmd.exe	xcopy.exe
PID 1848 wrote to memory of 920	1848	cmd.exe	xcopy.exe
PID 1848 wrote to memory of 1116	1848	cmd.exe	rundll32.exe
PID 1848 wrote to memory of 1116	1848	cmd.exe	rundll32.exe
PID 1848 wrote to memory of 1116	1848	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IRS_Form_12-01-9\Scan.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wiglid\foeZv.cmd RQRU
2⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h wiglid\laborsaving.dll C:\Users\Admin\AppData\Local\Temp\*
3⤵
PID:920

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\laborsaving.dll,#1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\laborsaving.dll
Filesize
161KB

MD5
13dc944a91cffd0385e29ea899a43af2

SHA1
793cfb6887fd324583ab1df77ff5e96391a3887b

SHA256
af5f6f066ffc8c375d6e4d1138d63da32014d7ea21b8b7582da0cd8b97794cbe

SHA512
258c0c920f0e76f2b883f967cf73114890f61abbee0824d9b2e913623feaeb53c2b1179bc34df49627fe39459e1d9b20986186015fa0168c7b452eeba7449c39

Download Submit
\Users\Admin\AppData\Local\Temp\laborsaving.dll
Filesize
161KB

MD5
13dc944a91cffd0385e29ea899a43af2

SHA1
793cfb6887fd324583ab1df77ff5e96391a3887b

SHA256
af5f6f066ffc8c375d6e4d1138d63da32014d7ea21b8b7582da0cd8b97794cbe

SHA512
258c0c920f0e76f2b883f967cf73114890f61abbee0824d9b2e913623feaeb53c2b1179bc34df49627fe39459e1d9b20986186015fa0168c7b452eeba7449c39

Download Submit
\Users\Admin\AppData\Local\Temp\laborsaving.dll
Filesize
161KB

MD5
13dc944a91cffd0385e29ea899a43af2

SHA1
793cfb6887fd324583ab1df77ff5e96391a3887b

SHA256
af5f6f066ffc8c375d6e4d1138d63da32014d7ea21b8b7582da0cd8b97794cbe

SHA512
258c0c920f0e76f2b883f967cf73114890f61abbee0824d9b2e913623feaeb53c2b1179bc34df49627fe39459e1d9b20986186015fa0168c7b452eeba7449c39

Download Submit
\Users\Admin\AppData\Local\Temp\laborsaving.dll
Filesize
161KB

MD5
13dc944a91cffd0385e29ea899a43af2

SHA1
793cfb6887fd324583ab1df77ff5e96391a3887b

SHA256
af5f6f066ffc8c375d6e4d1138d63da32014d7ea21b8b7582da0cd8b97794cbe

SHA512
258c0c920f0e76f2b883f967cf73114890f61abbee0824d9b2e913623feaeb53c2b1179bc34df49627fe39459e1d9b20986186015fa0168c7b452eeba7449c39

Download Submit
\Users\Admin\AppData\Local\Temp\laborsaving.dll
Filesize
161KB

MD5
13dc944a91cffd0385e29ea899a43af2

SHA1
793cfb6887fd324583ab1df77ff5e96391a3887b

SHA256
af5f6f066ffc8c375d6e4d1138d63da32014d7ea21b8b7582da0cd8b97794cbe

SHA512
258c0c920f0e76f2b883f967cf73114890f61abbee0824d9b2e913623feaeb53c2b1179bc34df49627fe39459e1d9b20986186015fa0168c7b452eeba7449c39

Download Submit
memory/920-89-0x0000000000000000-mapping.dmp

Download
memory/1116-93-0x0000000000000000-mapping.dmp

Download
memory/1116-99-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/1116-105-0x0000000000290000-0x00000000002A9000-memory.dmp

Filesize
100KB

Download
memory/1276-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1848-88-0x0000000000000000-mapping.dmp

Download