General
Target

documents.lnk

Filesize

1KB

Completed

18-05-2022 08:10

Task

behavioral4

Score
10/10
MD5

ac16d9137f43b0f5eecde7b2b7e9b9f2

SHA1

eed21b6fcfaf9160aa1cb63c43f26747106270bd

SHA256

493c390c59258d4002ba5cb11dcdfcf322e29f657eafbae172dc9946dabb795d

SHA256

029c8fae6360dac1930a05f9236965b4ab59e95ec69cfdf86e035f3e1499229c2d46d2a0afbd40d55d7d7e2ce45c87843e9e3c1fdbdbe042ace6f0c5015f5196

Malware Config

Extracted

Family

icedid

Campaign

3068011852

C2

yolneanz.com

Signatures 7

Filter: none

Discovery
  • IcedID, BokBot

    Description

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    Description

    suricata: ET MALWARE Win32/IcedID Request Cookie

    Tags

  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    111520rundll32.exe
  • Checks computer location settings
    cmd.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nationcmd.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    rundll32.exe

    Reported IOCs

    pidprocess
    1520rundll32.exe
    1520rundll32.exe
  • Suspicious use of WriteProcessMemory
    cmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2692 wrote to memory of 15202692cmd.exerundll32.exe
    PID 2692 wrote to memory of 15202692cmd.exerundll32.exe
Processes 2
  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" bole4d.dll,PluginInit
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:1520
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1520-130-0x0000000000000000-mapping.dmp

                        • memory/1520-131-0x0000000180000000-0x0000000180009000-memory.dmp