Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-05-2022 08:08
General
-
Target
documents.lnk
-
Size
1KB
-
MD5
ac16d9137f43b0f5eecde7b2b7e9b9f2
-
SHA1
eed21b6fcfaf9160aa1cb63c43f26747106270bd
-
SHA256
493c390c59258d4002ba5cb11dcdfcf322e29f657eafbae172dc9946dabb795d
-
SHA512
029c8fae6360dac1930a05f9236965b4ab59e95ec69cfdf86e035f3e1499229c2d46d2a0afbd40d55d7d7e2ce45c87843e9e3c1fdbdbe042ace6f0c5015f5196
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
3068011852
C2
yolneanz.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" bole4d.dll,PluginInit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-88-0x0000000000000000-mapping.dmp
-
memory/952-92-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2040-54-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmpFilesize
8KB