Analysis
-
max time kernel
655s -
max time network
1565s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
12-03-2022 14:38
General
-
Target
document.lnk
-
Size
2KB
-
MD5
a7ec43a3bd10d95a788f79c20ab8796f
-
SHA1
5c165fedae74c0ef60104772dc82f34520e1ff6f
-
SHA256
a17e32b43f96c8db69c979865a8732f3784c7c42714197091866473bcfac8250
-
SHA512
69eb3fd86ddf68e14f37dc7e862a9accf389b64c2a009c292da324bb63414453b51c6206845a1c364df0658288265a111900bbd09a50a920788dda67ccd6f2b2
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
2401334462
C2
emicthatmov.top
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\document.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start regsvr32.exe main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe main.dll3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1044 -s 2444⤵
- Program crash
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-92-0x0000000000130000-0x000000000013B000-memory.dmpFilesize
44KB
-
memory/1328-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB