Overview

overview

10

Static

static

documents.lnk

windows7_x64

10

documents.lnk

windows10-2004_x64

10

olasius.dll

windows7_x64

3

olasius.dll

windows10-2004_x64

3

Analysis

  • max time kernel
    40s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10-05-2022 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    1KB

  • MD5

    dc097dea18775a8f3d31b52697dc368e

  • SHA1

    c9d5fe30ac230dc48d450182fb899c9638fb35bb

  • SHA256

    f7861ee8b3917e3746d44a769453334c9bf1b780213634ed9abd42f7873b0593

  • SHA512

    ad34d919b7e8dc014e53c14a3a6c74556a24b1258aec83eb3c5fe584c9c908ba3a11e001319ae22e51173c6908ba6c34e5dde7f4056d0cc753e645ea2310ddb0

Score
10/10
icedid3000901376bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3000901376

C2

yolneanz.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" olasius.dll,PluginInit
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1016-88-0x0000000000000000-mapping.dmp

    Download

  • memory/1016-92-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1520-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

    Filesize

    8KB

    Download