icedid | 09a537a7c4bed33cfb33ae7d7b5360b52e6c1396a893b67b5e71acc28e3f74c2

Resubmissions

04/08/2023, 02:06

230804-cjk49aab2t 10

04/08/2023, 02:05

230804-ch1hjsha28 3

Analysis

max time kernel
142s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d.dll
Size

527KB
MD5

60f8d1993043c054e0ddb91e11fc184f
SHA1

80d274ff4278baff08418d48c647c8c0604db3ab
SHA256

09a537a7c4bed33cfb33ae7d7b5360b52e6c1396a893b67b5e71acc28e3f74c2
SHA512

007d9ed82a9cb612882afa70f9482d078f7612e913fd6f4b351307b37c5eaaededaf5b1a2aa1ba0a2ebc48888a475b168b5ea2ad3ef1c35a883daf8ece9f795b
SSDEEP

12288:jymcE1WefvUdDpWcc/9scDp6MGuXxGSthFLEXCRF3MK:e6fvUdDp0/9sY6MGuFoCRF3MK

Score

10^/10

icedid 43832328 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

43832328

ospertoolsbo.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1328	PowerShell.exe
1328	PowerShell.exe
3416	rundll32.exe
3416	rundll32.exe
3416	rundll32.exe
3416	rundll32.exe
3416	rundll32.exe
3416	rundll32.exe
3416	rundll32.exe
3416	rundll32.exe
3312	Process not Found
3312	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3416	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	PowerShell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3416	1328	PowerShell.exe	96
PID 1328 wrote to memory of 3416	1328	PowerShell.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d.dll,#1
1⤵
PID:1788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4628

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" d.dll vcab /k chitos7685
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3t2llech.hgi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1328-149-0x000002103C670000-0x000002103C6B4000-memory.dmp

Filesize
272KB

Download
memory/1328-151-0x00007FFE3AFA0000-0x00007FFE3BA61000-memory.dmp

Filesize
10.8MB

Download
memory/1328-146-0x0000021023150000-0x0000021023160000-memory.dmp

Filesize
64KB

Download
memory/1328-147-0x0000021023150000-0x0000021023160000-memory.dmp

Filesize
64KB

Download
memory/1328-148-0x0000021023150000-0x0000021023160000-memory.dmp

Filesize
64KB

Download
memory/1328-144-0x0000021023680000-0x00000210236A2000-memory.dmp

Filesize
136KB

Download
memory/1328-150-0x000002103C740000-0x000002103C7B6000-memory.dmp

Filesize
472KB

Download
memory/1328-145-0x00007FFE3AFA0000-0x00007FFE3BA61000-memory.dmp

Filesize
10.8MB

Download
memory/1328-152-0x0000021023150000-0x0000021023160000-memory.dmp

Filesize
64KB

Download
memory/3312-156-0x00007FFE58591000-0x00007FFE58592000-memory.dmp

Filesize
4KB

Download
memory/3312-157-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3312-164-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/3312-166-0x00007FFE58591000-0x00007FFE58592000-memory.dmp

Filesize
4KB

Download
memory/3416-155-0x0000015614BB0000-0x0000015614BB4000-memory.dmp

Filesize
16KB

Download