General
Target

documents.lnk

Filesize

1KB

Completed

17-05-2022 02:39

Task

behavioral2

Score
10/10
MD5

5dd2663a72c1114ef4257c69f07f7973

SHA1

1891936886f9114c2af23fa13845fdc28cb98326

SHA256

30705ee86a30f4373203d1be11715ba4bf5709bc277b369ea7d4f6b19d024279

SHA256

a10c78a86c185e37bcd0afbdf68ef65b19c39d35d308b8535c23f0a205f2d32c0f41850080b759de628267357dd5fe0fca736d4de0111cda45bc92c0c040173f

Malware Config

Extracted

Family

icedid

Campaign

3084789471

C2

yolneanz.com

Signatures 7

Filter: none

Discovery
  • IcedID, BokBot

    Description

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    Description

    suricata: ET MALWARE Win32/IcedID Request Cookie

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    194488rundll32.exe
  • Checks computer location settings
    cmd.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nationcmd.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    4488rundll32.exe
    4488rundll32.exe
  • Suspicious use of WriteProcessMemory
    cmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4720 wrote to memory of 44884720cmd.exerundll32.exe
    PID 4720 wrote to memory of 44884720cmd.exerundll32.exe
Processes 2
  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" starkam.dll,PluginInit
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:4488
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/4488-130-0x0000000000000000-mapping.dmp

                        • memory/4488-131-0x0000000180000000-0x0000000180009000-memory.dmp