icedid | c9408dec5953c3bcaf2c93dc12cc7df7e5a3bb36d43ef47e1bc2affd015a940d

Analysis

max time kernel
131s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:52

Target

p3roms/documents.lnk
Size

2KB
MD5

6c2af96b292cb6a7c6446d533c8671e0
SHA1

d05130035893f1593be14105588df3f2262fd50c
SHA256

7d77120c1fcd7635d26e4f1041136bb382f832e170baf3640f238c9b51a1d220
SHA512

e0054f43f9c87c4c670600ec82b9576bd12b53feb21f5c55b7cd510611b91c38da0eaf4d84b5dd30adabffefd8ebf5e61526b9f2b706020576c8db385e33d364

Score

10^/10

Family

icedid

Campaign

3652318967

yankyhoni.com

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	rundll32.exe
3004	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3004	2824	cmd.exe	30
PID 2824 wrote to memory of 3004	2824	cmd.exe	30
PID 2824 wrote to memory of 3004	2824	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\p3roms\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" p3roms.dll, #1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/3004-37-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download