icedid | 4aeff5a6879a17784d3765643eec3fc70efc6cbbeb469de29cda8f9b9d3a8138

Analysis

max time kernel
132s
max time network
137s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ET.lnk
Size

1KB
MD5

02f57b1af9c0719d29175743a380e724
SHA1

de0f7e98cb9fffd835601f32b671778fe8e6cb7b
SHA256

54ea0e71bfa44198d69f3f08e3e6a21545034922c8d42b25ac698985be076133
SHA512

4ae240b7dcf6a0263bf9b7669ff52d73d3bd03e47f93c4a44785876ba57865867eceeed8fe8fdb1427ab9c65711256b81f7f51f63ec67653fa88314c57809705

Score

10^/10

icedid 3738574432 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3738574432

aslowigza.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 584 rundll32.exe
4 584 rundll32.exe
5 584 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

584 rundll32.exe
584 rundll32.exe

flow	pid	process
2	584	rundll32.exe
4	584	rundll32.exe
5	584	rundll32.exe

pid	process
584	rundll32.exe
584	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.execmd.exe

description	pid	process	target process
PID 544 wrote to memory of 2020	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 2020	544	cmd.exe	cmd.exe
PID 544 wrote to memory of 2020	544	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1768	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1768	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1768	2020	cmd.exe	cmd.exe
PID 1768 wrote to memory of 664	1768	cmd.exe	replace.exe
PID 1768 wrote to memory of 664	1768	cmd.exe	replace.exe
PID 1768 wrote to memory of 664	1768	cmd.exe	replace.exe
PID 1768 wrote to memory of 584	1768	cmd.exe	rundll32.exe
PID 1768 wrote to memory of 584	1768	cmd.exe	rundll32.exe
PID 1768 wrote to memory of 584	1768	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ET.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c developer\becoming.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K developer\inhales.cmd system rundl
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\replace.exe
replace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A
4⤵
PID:664

C:\Windows\system32\rundll32.exe
rundll32 developer\\nevertheless.tmp,init
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/584-91-0x0000000000000000-mapping.dmp

Download
memory/584-92-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/664-90-0x0000000000000000-mapping.dmp

Download
memory/1768-89-0x0000000000000000-mapping.dmp

Download
memory/2020-88-0x0000000000000000-mapping.dmp

Download