Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 08:23

General

  • Target

    iso/documents.lnk

  • Size

    1KB

  • MD5

    8b6854e62af721babbb0a3770fe4e4f8

  • SHA1

    0358318460abb60d09bef967408870b805cac041

  • SHA256

    f6be0f739a1130aa6f0155b890038a8857da52e79471bf337384662470bd6d9e

  • SHA512

    338c786fba164c8a626b66ccde4e04b3ee06c7abaef0ad34b3034a4e71852619ddd37aa5ba96f6ef20ddf3133b787c750fde0d3db0e6ac604de2fe354b4921ba

Malware Config

Extracted

Family

icedid

Campaign

1094353980

C2

aftersunicox.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\iso\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start rundll32.exe am1lo4.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\system32\rundll32.exe
        rundll32.exe am1lo4.dll,#1
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        PID:1424

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/908-54-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

          Filesize

          8KB

        • memory/1424-93-0x0000000180000000-0x0000000180009000-memory.dmp

          Filesize

          36KB