Overview

overview

10

Static

static

Document_OF62.iso

windows10-2004-x64

10

Resubmissions

11-11-2022 10:35

221111-mm1n8ahd3z 10

11-11-2022 05:40

221111-gcv34ahed6 10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2022 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_OF62.iso

  • Size

    428KB

  • MD5

    88c823ff377b101e6f948f3f34b467c5

  • SHA1

    ece067f744b35128b1ab6e0ddc142263ede1c3bd

  • SHA256

    e6a2e75a6b2a3f2ac324ed063728d53dd0ff40e24e2abe11a725c41a54aabfe9

  • SHA512

    ac31a111d171fb938665d84d76c026794efce66f45af8c738fc18cd569552a6d8f6b236cd71e6df3544ce45abceceeaef5147561f8c1e5f6107df3349cab11c3

  • SSDEEP

    6144:dd1Im48xJjSbUhI77ETb+JS+lDDWbOrL/ZslDP/w+lDxlDuSTjQBRlDFKLEzbrbU:r1ImVJj0Rfyg7QKbuGiKpw9

Score
10/10
icedid426369791bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

426369791

C2

ahilacarstrupert.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Document_OF62.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4412
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2160
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""E:\belts\coleman.cmd" "
      1⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K belts\sinus.cmd system rundl
        2⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\system32\replace.exe
          replace C:\Windows\\system32\\rundll32.exe C:\Users\Admin\AppData\Local\Temp /A
          3⤵
            PID:1328
          • C:\Windows\system32\rundll32.exe
            rundll32.exe belts\anyhow.tmp,#1
            3⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:2508

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1328-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2508-134-0x0000000000000000-mapping.dmp
        Download
      • memory/2508-135-0x0000000180000000-0x0000000180009000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2508-141-0x000001BE37D30000-0x000001BE37D36000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4816-132-0x0000000000000000-mapping.dmp
        Download