Resubmissions

25-05-2022 19:16

220525-xy9rdacee9 10

23-05-2022 22:23

220523-2bae8ahfb7 10

23-05-2022 22:09

220523-12vneahef3 10

General

  • Target

    a0fa7f6e03e5d3fa5adfcd5dc1e85354-sample.zip

  • Size

    1KB

  • Sample

    220523-2bae8ahfb7

  • MD5

    a3cdbef698dbf2dc5dfc4901ce8b09a5

  • SHA1

    b4a3f0d41a5f8baab16d298aecc0c4fcf7eec051

  • SHA256

    9646b87a32e3a271b4e36a73a8b9d1742035a0edbcdb11b00f85e3e13178a597

  • SHA512

    8c6d0212c30fabc312aafffb7dcc9d9f6a33d8d774020c63fd17174334d433730541faf04d5bfce701e5d8e69d4d68a2aa20ac495f2f4ce3edc3980c0c381876

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://conderadio.tv/09872574.hta

Extracted

Language
hta
Source
URLs
hta.dropper

https://conderadio.tv/09872574.hta

Extracted

Family

icedid

Campaign

109932505

C2

ilekvoyn.com

Targets

    • Target

      Invoice_1.lnk

    • Size

      2KB

    • MD5

      c00c67f3de031c5ae198ba0362b5dd01

    • SHA1

      40f3b0263f8fccdf1fd5fe287dbd55829a8eddd6

    • SHA256

      d146c8bc52ec74b67704b30c0fb20995ba65770d191502f70c88c262dc44fc5d

    • SHA512

      4944aa5947667500eddb4d7fed5b0a8eb4d14db1d60496fcbe38c4032511b04c92757807a23dff49353f5ee75a5ed44cc5de9ed7cdcd12b59a7b8c9214e227ad

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

    • UAC bypass

    • suricata: ET MALWARE Win32/IcedID Request Cookie

      suricata: ET MALWARE Win32/IcedID Request Cookie

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks