icedid | a133aecccd8ae50859f5aef5f920987ca5bea5b935b84e81d80b4bfe55024640 | Triage

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-04-2023 21:29

Sharing

Report Analysis Logs

General

Target

run.bat
Size

52B
MD5

0d05c5d81313dc589b57df12401e6688
SHA1

44f72793d2490dc34e728450df342cbe4cbebd74
SHA256

45ea9ebc1d93a95f935a90c0d113bd85fbe7db040aaa6692b22594a669c6b973
SHA512

56e9e9e52f1db72f32bd5079500e3af3b04662c8a0e0b2e9d2b93023d260eeaab42512f7ecd76a4e8a9a318fd07471ccbbc241fb8777a98472da9ad238554a6c

Score

10^/10

icedid 2646410796 banker core_loader trojan

Malware Config

Extracted

Family

icedid

Botnet

2646410796

C2

abigelofraj.com

yhorneedminf.com

Attributes

auth_var
16
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1560 wrote to memory of 1528	1560	cmd.exe	rundll32.exe
PID 1560 wrote to memory of 1528	1560	cmd.exe	rundll32.exe
PID 1560 wrote to memory of 1528	1560	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\rundll32.exe
rundll32.exe awake32.tmp,init --olquwo="license.dat"
2⤵
PID:1528

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-59-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/1528-58-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/1528-54-0x0000000000110000-0x0000000000115000-memory.dmp

Filesize
20KB

Download
memory/1528-60-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download