icedid | 815df99c15d3431db3e018aad2827a816d078063fa75da842c30efff6bf08e63

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.lnk
Size

2KB
MD5

c754f3d9cdca9c58f7b9d0a486e4d388
SHA1

078f05b78e7a83ab17d9b35edf195c10f0d5750c
SHA256

a689b27afa67609b9b73465c47f927a12c470b32d8a340552d5f85499501a757
SHA512

cc4af4a8994da26f6daacf1243bb85df0995eccb90159df66e94af0e4e9fd3df401e35a57254efe9bc10a45867dbbdcb3335391f4d5da8b2dcfbe31980e23ebf

Score

10^/10

icedid 1101171172 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1101171172

hdtrenity.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1940	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	regsvr32.exe
1940	regsvr32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2436	1656	cmd.exe	29
PID 1656 wrote to memory of 2436	1656	cmd.exe	29
PID 1656 wrote to memory of 2436	1656	cmd.exe	29
PID 2436 wrote to memory of 1940	2436	cmd.exe	30
PID 2436 wrote to memory of 1940	2436	cmd.exe	30
PID 2436 wrote to memory of 1940	2436	cmd.exe	30
PID 2436 wrote to memory of 1940	2436	cmd.exe	30
PID 2436 wrote to memory of 1940	2436	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start regsvr32.exe data.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe data.dll
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1940-36-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/1940-37-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download