icedid | 815df99c15d3431db3e018aad2827a816d078063fa75da842c30efff6bf08e63

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.lnk
Size

2KB
MD5

c754f3d9cdca9c58f7b9d0a486e4d388
SHA1

078f05b78e7a83ab17d9b35edf195c10f0d5750c
SHA256

a689b27afa67609b9b73465c47f927a12c470b32d8a340552d5f85499501a757
SHA512

cc4af4a8994da26f6daacf1243bb85df0995eccb90159df66e94af0e4e9fd3df401e35a57254efe9bc10a45867dbbdcb3335391f4d5da8b2dcfbe31980e23ebf

Score

10^/10

icedid 1101171172 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1101171172

hdtrenity.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1160	regsvr32.exe
1160	regsvr32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3776	3204	cmd.exe	84
PID 3204 wrote to memory of 3776	3204	cmd.exe	84
PID 3776 wrote to memory of 1160	3776	cmd.exe	85
PID 3776 wrote to memory of 1160	3776	cmd.exe	85

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start regsvr32.exe data.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe data.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1160-0-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/1160-1-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download