Overview

overview

10

Static

static

ker3p/documents.lnk

windows7_x64

10

ker3p/documents.lnk

windows10-2004_x64

10

ker3p/ker3p.dll

windows7_x64

10

ker3p/ker3p.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-07-2022 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ker3p/documents.lnk

  • Size

    2KB

  • MD5

    bb347ab4742d9c9b5cafe0aac6ab1316

  • SHA1

    6296df650baf990a47e8c97f7ca0e20fadff8962

  • SHA256

    1d34cb09006522f9c3f48858814fdf22a7bb698cd72b9302f8319f0cb3768a19

  • SHA512

    47cd1e449d80c9f7fe0f6b4c4d1da4db7a1453f3d738330cccee86884218496f78ff934d3c2d43978f75779d5ef3c635f2daee3894136f5abf5fec6797c1f6cc

Score
10/10
icedid3635541348bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

3635541348

C2

piponareatna.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ker3p\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" ker3p.dll, #1
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1532-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1728-88-0x0000000000000000-mapping.dmp

    Download

  • memory/1728-92-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download