icedid | 2154488682e7fa52945812b2e217fb68bba0bb1baafe02de905e6616f2b65c2f

Analysis

max time kernel
10s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/05/2023, 04:01

Target

6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe
Size

5.0MB
MD5

6865ca56665542cd7d5c1c53a76f32ca
SHA1

a8c9c66b632f5d2fda9d30f765ebc96ea4123c7a
SHA256

6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed
SHA512

ae134bb33333ebbed97acf52a67310b191fe03899bcb1948f3da3a89c04c9d00a892cd0f9190cfd4fef258719cc9f66c87e75bed2d87f9d342f9bb46d6f68505
SSDEEP

49152:ptErfhsOSMa1xYus4Q2D2TgG6hN3gSVsmqoyeBe4:ptEbfa1xNL2g3mrEB/

Score

10^/10

Family

icedid

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 1 IoCs

resource	yara_rule
behavioral1/memory/940-54-0x00000000006B0000-0x0000000000BB01E0-memory.dmp	family_matiex

Detectes Phoenix Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/940-54-0x00000000006B0000-0x0000000000BB01E0-memory.dmp	miner_phoenix

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1100	940	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1100	940	6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe	29
PID 940 wrote to memory of 1100	940	6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe	29
PID 940 wrote to memory of 1100	940	6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe	29
PID 940 wrote to memory of 1100	940	6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe	29

C:\Users\Admin\AppData\Local\Temp\6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe
"C:\Users\Admin\AppData\Local\Temp\6fa0ea46cdf13cc71d9a164d0291f481d3947ec4f35f2cbf7b5c4a51ae3b0aed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 48
  2⤵
  - Program crash
  PID:1100

memory/940-54-0x00000000006B0000-0x0000000000BB01E0-memory.dmp

Filesize
5.0MB

Download