Overview

overview

10

Static

static

s4pesa/documents.lnk

windows7_x64

10

s4pesa/documents.lnk

windows10-2004_x64

10

s4pesa/s4pesa.dll

windows7_x64

10

s4pesa/s4pesa.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    45s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    29-06-2022 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    s4pesa/documents.lnk

  • Size

    2KB

  • MD5

    77e1106d0ee3c074c5aa94663e62ca8c

  • SHA1

    5149a36f2934cbe44a7066e96756d4ecb7a65cbd

  • SHA256

    4633c5e89c5c9e60c3609dfb7f5ca1f0794c2b84c3468cdc2129d942d4e09cf3

  • SHA512

    8644ef5ca3082bf4f062e53bdba5231f5b010c90fae919bb76f16dc46dae10a76e3ef94dca6d6ae709b4aaeb39b80eedbdc41298fc8d561e0561a51cde9575e6

Score
10/10
icedid3652318967bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3652318967

C2

yankyhoni.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\s4pesa\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" s4pesa.dll, #1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/524-88-0x0000000000000000-mapping.dmp

    Download

  • memory/524-92-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1660-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

    Filesize

    8KB

    Download