icedid | d1a4dc15a7396670b93d6a28ea2b3a54a8f19181aed1bbdb6ae1cbe28152c060

Analysis

max time kernel
125s
max time network
129s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-01-2023 16:47

Target

Scan_01-09.lnk
Size

2KB
MD5

c506c64591a5bad7b010c0a08bb4f25c
SHA1

f65263f53c5bab142120353ef897b31cbcf31037
SHA256

505553c68dd0be8cfcd9fac95234d904251ea470ec546d00398cf3440c7610bc
SHA512

31ef6cee2ae78ed683cdebc8fed061b43cce1103d47fb46df5f7a7894a8d57474acbf4fb54d82d8b5eb2c0a063a029b20d9e91df1ed4fd40506ee89e510f774c

Score

10^/10

Family

icedid

Campaign

3131022508

wagringamuk.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 660 rundll32.exe
4 660 rundll32.exe
5 660 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

660 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

660 rundll32.exe
660 rundll32.exe

pid	process
660	rundll32.exe

pid	process
660	rundll32.exe
660	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1076 wrote to memory of 1796	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 1796	1076	cmd.exe	cmd.exe
PID 1076 wrote to memory of 1796	1076	cmd.exe	cmd.exe
PID 1796 wrote to memory of 268	1796	cmd.exe	xcopy.exe
PID 1796 wrote to memory of 268	1796	cmd.exe	xcopy.exe
PID 1796 wrote to memory of 268	1796	cmd.exe	xcopy.exe
PID 1796 wrote to memory of 660	1796	cmd.exe	rundll32.exe
PID 1796 wrote to memory of 660	1796	cmd.exe	rundll32.exe
PID 1796 wrote to memory of 660	1796	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Scan_01-09.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copillwonv\hipsexfryd.cmd A B C D E F G H I J K L M N O P N R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\xcopy.exe
    xcopy /s /i /e /h copillwonv\strapping.dat C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:268
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Users\Admin\AppData\Local\Temp\strapping.dat,init
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:660

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\strapping.dat

Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
\Users\Admin\AppData\Local\Temp\strapping.dat

Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
memory/268-92-0x0000000000000000-mapping.dmp

Download
memory/660-93-0x0000000000000000-mapping.dmp

Download
memory/660-96-0x0000000001AC0000-0x0000000001AC9000-memory.dmp

Filesize
36KB

Download
memory/1076-54-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1796-88-0x0000000000000000-mapping.dmp

Download