Overview

overview

10

Static

static

icedid/INV.lnk

windows7-x64

10

icedid/INV.lnk

windows10-2004-x64

10

icedid/nap...eA.cmd

windows7-x64

1

icedid/nap...eA.cmd

windows10-2004-x64

1

icedid/nap...ng.dll

windows7-x64

1

icedid/nap...ng.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2023 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    icedid/INV.lnk

  • Size

    1KB

  • MD5

    a5bf79eb941c6b46c54f1c7eeed61e0b

  • SHA1

    c3e4aaf8a1ead1b0e7839c23f39285ce6201a667

  • SHA256

    7149d908813641a2262abf5d9904879f4336b66d0e62fae49dc79465a6058d14

  • SHA512

    5754cec3462d503940593ca01408cef41624cf0186e28995a26bd49e735a0224c5285477c2fe22377b1a48b8b5eb338563a7396c75b39394a4732d2c39289985

Score
10/10
icedid1387823457bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1387823457

C2

allertmnemonkik.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\icedid\INV.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c napphipolD\chialaDeeA.cmd A B C D E F G H I J K L M N O P s R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\system32\xcopy.exe
        xcopy /s /i /e /h napphipolD\limiting.dat C:\Users\Admin\AppData\Local\Temp\*
        3⤵
          PID:728
        • C:\Windows\system32\rundll32.exe
          rundll32 C:\Users\Admin\AppData\Local\Temp\limiting.dat,init
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\limiting.dat
      Filesize

      189KB

      MD5

      c9f3dd6dddcd3beb7070d9f915219034

      SHA1

      c3f080523dc1b8c444742f372b9d212743b8a503

      SHA256

      65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

      SHA512

      41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\limiting.dat
      Filesize

      189KB

      MD5

      c9f3dd6dddcd3beb7070d9f915219034

      SHA1

      c3f080523dc1b8c444742f372b9d212743b8a503

      SHA256

      65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

      SHA512

      41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

      Download Submit
    • memory/728-133-0x0000000000000000-mapping.dmp
      Download
    • memory/968-134-0x0000000000000000-mapping.dmp
      Download
    • memory/968-137-0x00000171E39F0000-0x00000171E39F9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/4992-132-0x0000000000000000-mapping.dmp
      Download