icedid | 2811b96344264d2752dfe7fa5c0d124444a2337745bb66c3836e406c7df2b916 | Triage

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-04-2023 05:51

Sharing

Report Analysis Logs

General

Target

给老子冲/影流之王🈹 (10).exe
Size

5.0MB
MD5

22ba843c2cfd43aaf712b80b40e8b4f0
SHA1

b8ea71676e0651b7d918a16473a030c1014b7ffd
SHA256

76dee725ec290d43a66d16054121085868030a2af49fb0c5affc471c50984bd7
SHA512

5fbae872c164e80ff042aca5d4821ff14c47f2889dce7557ee4d7a2f5a4d7a4ac7d183f3dfe6144e210fa1621080de874dd30f7a7827032ebe3ec935799f6ac1
SSDEEP

49152:NtErfhsOSMa1xYus4Q2D2TgG6hN3gSVsmqoyeBe4:NtEbfa1xNL2g3mrEBX

Score

10^/10

icedid matiex banker keylogger loader miner stealer trojan

Malware Config

Extracted

Family

icedid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-54-0x00000000008F0000-0x0000000000DF01E0-memory.dmp	family_matiex

Detectes Phoenix Miner Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-54-0x00000000008F0000-0x0000000000DF01E0-memory.dmp	miner_phoenix

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 1992 WerFault.exe 影流之王🈹 (10).exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

影流之王🈹 (10).exe

description	pid	process	target process
PID 1992 wrote to memory of 1996	1992	影流之王🈹 (10).exe	WerFault.exe
PID 1992 wrote to memory of 1996	1992	影流之王🈹 (10).exe	WerFault.exe
PID 1992 wrote to memory of 1996	1992	影流之王🈹 (10).exe	WerFault.exe
PID 1992 wrote to memory of 1996	1992	影流之王🈹 (10).exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (10).exe
"C:\Users\Admin\AppData\Local\Temp\给老子冲\影流之王🈹 (10).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 48
2⤵
- Program crash
PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-54-0x00000000008F0000-0x0000000000DF01E0-memory.dmp

Filesize
5.0MB

Download