Analysis

  • max time kernel
    103s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 08:23

General

  • Target

    iso/documents.lnk

  • Size

    1KB

  • MD5

    8b6854e62af721babbb0a3770fe4e4f8

  • SHA1

    0358318460abb60d09bef967408870b805cac041

  • SHA256

    f6be0f739a1130aa6f0155b890038a8857da52e79471bf337384662470bd6d9e

  • SHA512

    338c786fba164c8a626b66ccde4e04b3ee06c7abaef0ad34b3034a4e71852619ddd37aa5ba96f6ef20ddf3133b787c750fde0d3db0e6ac604de2fe354b4921ba

Malware Config

Extracted

Family

icedid

Campaign

1094353980

C2

aftersunicox.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\iso\documents.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start rundll32.exe am1lo4.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\system32\rundll32.exe
        rundll32.exe am1lo4.dll,#1
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        PID:656

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/656-132-0x0000000180000000-0x0000000180009000-memory.dmp

          Filesize

          36KB