icedid | 95e2122578298f5b0e48dbb0aab079d2123aed82baccf99abc992df75e2b77e5 | Triage

Analysis

max time kernel
133s
max time network
138s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-02-2023 03:38

Sharing

Report Analysis Logs

General

Target

RunDLL-1.bat
Size

27B
MD5

fe56021fdf990bbd7922f23124604fbb
SHA1

1f2b32b3d4820d3037ed8b60f1f59b9a4430937e
SHA256

cd00124e4f9c80290906da4c71a96cfb011e0e91ed93c0740bfa7ab9cdb03002
SHA512

de1e958a9791734211bcbe4ee4004c9475a8cbc3221b4cc0daa8283c832192896ae33e8ce043b7e65dca52628efd73e42095bf01a07dbb91ad056f5c3e2c5aae

Score

10^/10

icedid 2255569783 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

2255569783

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

2 1696 rundll32.exe
4 1696 rundll32.exe
5 1696 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1696 rundll32.exe
1696 rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 1696	1532	cmd.exe	rundll32.exe
PID 1532 wrote to memory of 1696	1532	cmd.exe	rundll32.exe
PID 1532 wrote to memory of 1696	1532	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\rundll32.exe
rundll32.exe NmClt.bin,init
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1696-54-0x0000000000000000-mapping.dmp

Download
memory/1696-55-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download