General
Target

documents.lnk

Filesize

1KB

Completed

17-05-2022 02:39

Task

behavioral1

Score
10/10
MD5

5dd2663a72c1114ef4257c69f07f7973

SHA1

1891936886f9114c2af23fa13845fdc28cb98326

SHA256

30705ee86a30f4373203d1be11715ba4bf5709bc277b369ea7d4f6b19d024279

SHA256

a10c78a86c185e37bcd0afbdf68ef65b19c39d35d308b8535c23f0a205f2d32c0f41850080b759de628267357dd5fe0fca736d4de0111cda45bc92c0c040173f

Malware Config

Extracted

Family

icedid

Campaign

3084789471

C2

yolneanz.com

Signatures 6

Filter: none

Discovery
  • IcedID, BokBot

    Description

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    Description

    suricata: ET MALWARE Win32/IcedID Request Cookie

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    21008rundll32.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    1008rundll32.exe
    1008rundll32.exe
  • Suspicious use of WriteProcessMemory
    cmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1380 wrote to memory of 10081380cmd.exerundll32.exe
    PID 1380 wrote to memory of 10081380cmd.exerundll32.exe
    PID 1380 wrote to memory of 10081380cmd.exerundll32.exe
Processes 2
  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" starkam.dll,PluginInit
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1008
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1008-88-0x0000000000000000-mapping.dmp

                        • memory/1008-92-0x0000000180000000-0x0000000180009000-memory.dmp

                        • memory/1380-54-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp