Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10-05-2022 14:59
General
-
Target
documents.lnk
-
Size
1KB
-
MD5
dc097dea18775a8f3d31b52697dc368e
-
SHA1
c9d5fe30ac230dc48d450182fb899c9638fb35bb
-
SHA256
f7861ee8b3917e3746d44a769453334c9bf1b780213634ed9abd42f7873b0593
-
SHA512
ad34d919b7e8dc014e53c14a3a6c74556a24b1258aec83eb3c5fe584c9c908ba3a11e001319ae22e51173c6908ba6c34e5dde7f4056d0cc753e645ea2310ddb0
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
3000901376
C2
yolneanz.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" olasius.dll,PluginInit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1016-88-0x0000000000000000-mapping.dmp
-
memory/1016-92-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1520-54-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB