General
Target
Filesize
Completed
Task
documents.lnk
1KB
18-05-2022 08:10
behavioral4
Score
10/10
MD5
SHA1
SHA256
SHA256
ac16d9137f43b0f5eecde7b2b7e9b9f2
eed21b6fcfaf9160aa1cb63c43f26747106270bd
493c390c59258d4002ba5cb11dcdfcf322e29f657eafbae172dc9946dabb795d
029c8fae6360dac1930a05f9236965b4ab59e95ec69cfdf86e035f3e1499229c2d46d2a0afbd40d55d7d7e2ce45c87843e9e3c1fdbdbe042ace6f0c5015f5196
Malware Config
Extracted
Family | icedid |
Campaign | 3068011852 |
C2 |
yolneanz.com |
Signatures 7
Filter: none
Discovery
-
IcedID, BokBot
Description
IcedID is a banking trojan capable of stealing credentials.
Tags
-
suricata: ET MALWARE Win32/IcedID Request Cookie
Description
suricata: ET MALWARE Win32/IcedID Request Cookie
Tags
-
Blocklisted process makes network requestrundll32.exe
Reported IOCs
flow pid process 11 1520 rundll32.exe -
Checks computer location settingscmd.exe
Description
Looks up country code configured in the registry, likely geofence.
TTPs
Reported IOCs
description ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Suspicious behavior: EnumeratesProcessesrundll32.exe
Reported IOCs
pid process 1520 rundll32.exe 1520 rundll32.exe -
Suspicious use of WriteProcessMemorycmd.exe
Reported IOCs
description pid process target process PID 2692 wrote to memory of 1520 2692 cmd.exe rundll32.exe PID 2692 wrote to memory of 1520 2692 cmd.exe rundll32.exe
Processes 2
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnkChecks computer location settingsSuspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" bole4d.dll,PluginInitBlocklisted process makes network requestSuspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/1520-130-0x0000000000000000-mapping.dmp
-
memory/1520-131-0x0000000180000000-0x0000000180009000-memory.dmp
Title
Loading data