icedid | 56c5630b16bf7772d467ee7b9f97d6fbbaebf3abf8991a6549a24e047f6d8ab0

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

core/cmd.bat
Size

187B
MD5

f9024ea7ab8f15514c195828d99fbd8f
SHA1

fd6647533ddd5dc904c88e57e8c00101d8636863
SHA256

9772b3d6906d3c7a2ec38a5b14da55bd9e744ec4359f601da5eeba013bbda65b
SHA512

a0f837d981c592ca4d39b34997e3c97b4189ffeb9fe10a90ed488c3c8ac6dadbf08cca360edce2ee2a009ed64624db4533fe88e71753da59082878a1204237ae

Score

10^/10

icedid 3984935437 banker core_loader core_payload trojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3984935437

footballer.bid

2kilozhiraffe.club

aristomosuga.top

viryigamaps.top

Attributes

auth_var
3
url_path
/news/

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2672	3068	cmd.exe	31
PID 3068 wrote to memory of 2672	3068	cmd.exe	31
PID 3068 wrote to memory of 2672	3068	cmd.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\core\hungry-.tmp,update /i:"license.dat"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\license.dat

Filesize
333KB

MD5
3c6263a9c4117c78d26fc4380af014f2

SHA1
eca410dd57af16227220e08067c1895c258eb92b

SHA256
29d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e

SHA512
0969cde0d327b9f4b2be708437aea2a1d7a9ba9482125e143ce25c6a2f07e8ee1fa9b23e12f4e88157305f59209e2a8b3a2b2e7eb143b114e3f0c95ba57a2e1a

Download Submit
memory/2672-5-0x0000000001DD0000-0x0000000001E28000-memory.dmp

Filesize
352KB

Download
memory/2672-3-0x0000000001D90000-0x0000000001DC7000-memory.dmp

Filesize
220KB

Download
memory/2672-12-0x0000000001DD0000-0x0000000001E28000-memory.dmp

Filesize
352KB

Download
memory/2672-11-0x0000000001DD0000-0x0000000001E28000-memory.dmp

Filesize
352KB

Download