Overview

overview

10

Static

static

ta578_zipp...ts.lnk

windows7_x64

10

ta578_zipp...ts.lnk

windows10-2004_x64

10

ta578_zipp...om.dll

windows7_x64

10

ta578_zipp...om.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ta578_zippediso/documents.lnk

  • Size

    2KB

  • MD5

    ce783276c0618e3197fb2d3f51ae5790

  • SHA1

    f42e8af4f540c3e6b6a77a8b272f976fc7d44b1d

  • SHA256

    bb1fe6256cc9fc42bd74632871700af5f8663fe954a53378298b35c1f187f16b

  • SHA512

    99485a9f6a7ab134a162c3a7de48284d76f946d877ac718899ec5c54fc3b00f3cc26070742993fbb823f200c6bfb7ebf98ab83be5881a7595f297a6773a5f05f

Score
10/10
icedid3568430872bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3568430872

C2

alionavon.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ta578_zippediso\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" r7kom.dll, #1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1260

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1260-88-0x0000000000000000-mapping.dmp

    Download

  • memory/1260-92-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1892-54-0x000007FEFBD51000-0x000007FEFBD53000-memory.dmp

    Filesize

    8KB

    Download