icedid | 204ae820a286ea0b75063163c29e21ad34084b7d86510a7db0b2c5e67fb333cb | Triage

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2023 17:05

Sharing

Report Analysis Logs

General

Target

run.bat
Size

52B
MD5

0d05c5d81313dc589b57df12401e6688
SHA1

44f72793d2490dc34e728450df342cbe4cbebd74
SHA256

45ea9ebc1d93a95f935a90c0d113bd85fbe7db040aaa6692b22594a669c6b973
SHA512

56e9e9e52f1db72f32bd5079500e3af3b04662c8a0e0b2e9d2b93023d260eeaab42512f7ecd76a4e8a9a318fd07471ccbbc241fb8777a98472da9ad238554a6c

Score

10^/10

icedid 2646410796 banker core_loader trojan

Malware Config

Extracted

Family

icedid

Botnet

2646410796

C2

abigelofraj.com

yhorneedminf.com

Attributes

auth_var
16
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 3304 wrote to memory of 4604 3304 cmd.exe rundll32.exe
PID 3304 wrote to memory of 4604 3304 cmd.exe rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\system32\rundll32.exe
rundll32.exe awake32.tmp,init --olquwo="license.dat"
2⤵
PID:4604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4604-133-0x000001D831750000-0x000001D831755000-memory.dmp

Filesize
20KB

Download
memory/4604-137-0x000001D831750000-0x000001D831755000-memory.dmp

Filesize
20KB

Download
memory/4604-138-0x000001D831750000-0x000001D831755000-memory.dmp

Filesize
20KB

Download
memory/4604-139-0x000001D831740000-0x000001D831741000-memory.dmp

Filesize
4KB

Download