icedid | a3aa724dbfe8d66266d2a4a8cd7982442a3416d792529cff9751bb4e69f9ca81

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

core.bat
Size

184B
MD5

4da584cc0a5ded0c902627093ab8721b
SHA1

a6bb30b50718813a72cbd58ba148bc3c9a17c3f0
SHA256

bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c
SHA512

d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804

Score

10^/10

icedid 3415411565 banker core_loader core_payload trojan

Malware Config

Extracted

Family

icedid

Botnet

3415411565

antnosience.com

seaskysafe.com

Attributes

auth_var
1
url_path
/news/

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Icedid family
icedid

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe
3280	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3280	2308	cmd.exe	83
PID 2308 wrote to memory of 3280	2308	cmd.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\license.dat

Filesize
333KB

MD5
7eb64145636d2e8343d9077f15c11022

SHA1
c0b221ca05431092bc1c789a33d199124c8fec1c

SHA256
96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

SHA512
53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

Download Submit
memory/3280-3-0x000001D423E20000-0x000001D423E25000-memory.dmp

Filesize
20KB

Download
memory/3280-5-0x000001D423E40000-0x000001D423E99000-memory.dmp

Filesize
356KB

Download
memory/3280-11-0x000001D423E40000-0x000001D423E99000-memory.dmp

Filesize
356KB

Download
memory/3280-12-0x000001D423E40000-0x000001D423E99000-memory.dmp

Filesize
356KB

Download