Overview

overview

10

Static

static

data.dll

windows7_x64

10

data.dll

windows10-2004_x64

10

documents.lnk

windows7_x64

10

documents.lnk

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    16-02-2022 23:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    2KB

  • MD5

    c754f3d9cdca9c58f7b9d0a486e4d388

  • SHA1

    078f05b78e7a83ab17d9b35edf195c10f0d5750c

  • SHA256

    a689b27afa67609b9b73465c47f927a12c470b32d8a340552d5f85499501a757

  • SHA512

    cc4af4a8994da26f6daacf1243bb85df0995eccb90159df66e94af0e4e9fd3df401e35a57254efe9bc10a45867dbbdcb3335391f4d5da8b2dcfbe31980e23ebf

Score
10/10
icedid1101171172bankersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

1101171172

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start regsvr32.exe data.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\system32\regsvr32.exe
        regsvr32.exe data.dll
        3⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 452 -s 244
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/452-56-0x00000000005B0000-0x00000000005BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1220-54-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1328-58-0x0000000001E60000-0x0000000001E61000-memory.dmp

    Filesize

    4KB

    Download