Analysis
-
max time kernel
126s -
max time network
63s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
05-07-2022 16:23
General
-
Target
INV871623.txt.lnk
-
Size
1KB
-
MD5
7c1073209e40cb0957e097eb86ae4d79
-
SHA1
fd8b3b87f44bfef8f5a7af23adf496b5494eaf01
-
SHA256
1202a0e6d4b0282bcade76291346b5b410f05e05c978c087147a4c2006d69b42
-
SHA512
ac6b78c0657388119e3c7d70c3b708ffbdc643965dcd9d11240b96110559b5e24409bc34921fa700bdeb39c16d37b40b6c1b83420f302137a46c84ca66e61406
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
1825398430
C2
ciaontroni.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\INV871623.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w h -file THjkgeCbhjm.ps12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\notice.txt3⤵
- Drops file in Windows directory
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" 768327532892733679.dll,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2416-114-0x0000000000000000-mapping.dmp
-
memory/2416-119-0x000001A4FB940000-0x000001A4FB962000-memory.dmpFilesize
136KB
-
memory/2416-127-0x000001A4FC630000-0x000001A4FC6A6000-memory.dmpFilesize
472KB
-
memory/3428-146-0x0000000000000000-mapping.dmp
-
memory/4024-147-0x0000000000000000-mapping.dmp
-
memory/4024-149-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB