icedid | fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d

Analysis

max time kernel
141s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12102023_1143_0371-1_icedid_forked.dll
Size

328KB
MD5

bf15a998fd84bee284ae9f7422bda640
SHA1

e51217efb6e33fca9f7c5f51e5c3a4ae50499a37
SHA256

fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
SHA512

d7506cb1f7906fd9fb4a06904ed929c4cc187396e40d477b83945d7035e45f03237270abe3f6bcf8f3e6f54bb99392fc069f0582667e2bb6ad8d80f91a11f968
SSDEEP

6144:XN/F41OWGRkFtwxW6spj/JbUaeboh6EReEUHFmU8iNnAXs:X5FCOWGRayW6sAowXFmUfZ

Score

10^/10

icedid 361893872 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

361893872

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 2 IoCs

flow	pid	Process
57	1504	rundll32.exe
75	1504	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	rundll32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{2E57A065-100F-0007-0263-61A4BB5FA8DB}\ = 891251994cd4730fbe1efa9044b81736165432202b5647adca4cad251ae6bde6a46b6cc16076cd9c9238ec0c4572c8898698966fb56bf64a92eec6dba523ca16de520141e4fe1f5bdf40ac9b3abc50e9aed6c03560cf2c692c25f22b1e8e1e630feb857db42c7a2e3a6e85148e646f543fdf990cb33789d50fede985bca18a02b105f9eb61671c0158c11b6cba19683740c898645a4e38908a93b80f0f4fcf1cfce863669d4261bf03ffe2e272a08a26d4b9f373bfd2ad03c09379847326c913c555a3b5fb76315f513bd01745ca82e41a6e2808c60dffeb9d16ba09f7f6f4a2bf33b70bea6826d30fc61afeb4f2f2feb1fdfbe46d5e344b224b542585cb59e7f3f4eef27fbf1170e884a7152f2ac360a3f1c865	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{2E57A065-100F-0007-0263-61A4BB5FA8DB}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	regsvr32.exe
2220	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4784	2220	regsvr32.exe	85
PID 2220 wrote to memory of 4784	2220	regsvr32.exe	85
PID 4784 wrote to memory of 1504	4784	cmd.exe	87
PID 4784 wrote to memory of 1504	4784	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\12102023_1143_0371-1_icedid_forked.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\niivefbd32\epitzuactb.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\niivefbd32\epitzuactb.dll,#1
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Modifies registry class
    PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\niivefbd32\epitzuactb.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
C:\Users\Admin\AppData\Local\niivefbd32\epitzuactb.dll

Filesize
583KB

MD5
0245e02cbb6ffe2716c2aeb7fb8006d0

SHA1
59dd3d2477211eb4fcd72b542812a2036fa0e1e8

SHA256
5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

SHA512
0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

Download Submit
memory/1504-11-0x0000025345720000-0x000002534576C000-memory.dmp

Filesize
304KB

Download
memory/1504-10-0x0000025345680000-0x00000253456CF000-memory.dmp

Filesize
316KB

Download
memory/1504-16-0x0000025345720000-0x000002534576C000-memory.dmp

Filesize
304KB

Download
memory/1504-17-0x0000025345720000-0x000002534576C000-memory.dmp

Filesize
304KB

Download
memory/1504-18-0x0000025345680000-0x00000253456CF000-memory.dmp

Filesize
316KB

Download
memory/1504-21-0x0000025345720000-0x000002534576C000-memory.dmp

Filesize
304KB

Download
memory/1504-22-0x0000025345720000-0x000002534576C000-memory.dmp

Filesize
304KB

Download
memory/1504-24-0x0000025345720000-0x000002534576C000-memory.dmp

Filesize
304KB

Download
memory/2220-6-0x0000000001300000-0x000000000130D000-memory.dmp

Filesize
52KB

Download
memory/2220-5-0x0000000001300000-0x000000000130D000-memory.dmp

Filesize
52KB

Download
memory/2220-1-0x0000000001300000-0x000000000130D000-memory.dmp

Filesize
52KB

Download