icedid | acd9fa27b779469770a4c53602c8bbd33607e1624bf6b5dfd605e2211aa9bae4

Analysis

max time kernel
247s
max time network
250s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-01-2023 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan_01-09.lnk
Size

1KB
MD5

fc799beeda4a8430292247375bdf4b59
SHA1

3f1a817f3bd5a344fc3aae111f09349756f00d40
SHA256

a482fc4719106e36bca78b610acde1136bce64120fe1a5a843d65aa82aaa190e
SHA512

b1d1286cce4499e2c849ddfa6c6e8cfd08ec8cfe7d6d9fb1c11319623a3866f767c8d08d767f2594fb991592b66528c797a3b49bbb45add44284c7b296de7467

Score

10^/10

icedid 3131022508 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3131022508

wagringamuk.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

2 756 rundll32.exe
4 756 rundll32.exe
5 756 rundll32.exe
6 756 rundll32.exe
7 756 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

756 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

756 rundll32.exe
756 rundll32.exe

flow	pid	process
2	756	rundll32.exe
4	756	rundll32.exe
5	756	rundll32.exe
6	756	rundll32.exe
7	756	rundll32.exe

pid	process
756	rundll32.exe

pid	process
756	rundll32.exe
756	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1376 wrote to memory of 320	1376	cmd.exe	cmd.exe
PID 1376 wrote to memory of 320	1376	cmd.exe	cmd.exe
PID 1376 wrote to memory of 320	1376	cmd.exe	cmd.exe
PID 320 wrote to memory of 1792	320	cmd.exe	xcopy.exe
PID 320 wrote to memory of 1792	320	cmd.exe	xcopy.exe
PID 320 wrote to memory of 1792	320	cmd.exe	xcopy.exe
PID 320 wrote to memory of 756	320	cmd.exe	rundll32.exe
PID 320 wrote to memory of 756	320	cmd.exe	rundll32.exe
PID 320 wrote to memory of 756	320	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Scan_01-09.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c firvetourg\denmedmudc.cmd A B C D E F G H I J K L M N O P C R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h firvetourg\reencountering.dat C:\Users\Admin\AppData\Local\Temp\*
3⤵
PID:1792

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\reencountering.dat,init
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\reencountering.dat
Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
\Users\Admin\AppData\Local\Temp\reencountering.dat
Filesize
788KB

MD5
15dd0873cb6bef0c8e89a0319a202c3a

SHA1
6b49af73134d502d35d81cb978075761dc3b71fa

SHA256
180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2

SHA512
3b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200

Download Submit
memory/320-89-0x0000000000000000-mapping.dmp

Download
memory/756-94-0x0000000000000000-mapping.dmp

Download
memory/756-97-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/1376-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1792-93-0x0000000000000000-mapping.dmp

Download