Analysis

  • max time kernel
    70s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-06-2022 22:32

General

  • Target

    r7kom.dll/documents.lnk

  • Size

    2KB

  • MD5

    ce783276c0618e3197fb2d3f51ae5790

  • SHA1

    f42e8af4f540c3e6b6a77a8b272f976fc7d44b1d

  • SHA256

    bb1fe6256cc9fc42bd74632871700af5f8663fe954a53378298b35c1f187f16b

  • SHA512

    99485a9f6a7ab134a162c3a7de48284d76f946d877ac718899ec5c54fc3b00f3cc26070742993fbb823f200c6bfb7ebf98ab83be5881a7595f297a6773a5f05f

Malware Config

Extracted

Family

icedid

Campaign

3568430872

C2

alionavon.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\r7kom.dll\documents.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3420
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" r7kom.dll, #1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2752-130-0x0000000000000000-mapping.dmp

  • memory/2752-131-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB