Overview

overview

10

Static

static

Document_8...12.zip

windows7-x64

1

Document_8...12.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2023 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document_85_Copy_01-12.zip

  • Size

    108KB

  • MD5

    9be51ec0cc1d11ec3954a2334059300e

  • SHA1

    5b6c04e35e2b0b3c3129a05519790cdb7a60a67f

  • SHA256

    08f1fcad30ccf7fa1cfc59033a91d984a3dbeda5d581b0b24a196b80512c551d

  • SHA512

    0d2dd88d144b194e7a75b8410c329cbfaea8e7a38fd1ec9a79f4839be1b0299d34fb3fb80174f477427bfb7d95f9327526e67b326a3ee0c861c5cfa849a6aa36

  • SSDEEP

    3072:wjVCUVdwZ1VHTPxH+/2D3hGaLU5x7QsUeN7Iz:X2wZjHrxH+/YxGDjQsp2z

Score
10/10
icedid1387823457bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

1387823457

C2

allertmnemonkik.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Document_85_Copy_01-12.zip
    1⤵
      PID:872
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1804
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c getgunputY\aidduecabj.cmd A B C D E F G H I J K L M N O P x R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
        1⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\system32\xcopy.exe
          xcopy /s /i /e /h getgunputY\halterbreaking.dat C:\Users\Admin\AppData\Local\Temp\*
          2⤵
            PID:1576
          • C:\Windows\system32\rundll32.exe
            rundll32 C:\Users\Admin\AppData\Local\Temp\halterbreaking.dat,init
            2⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:3440

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\halterbreaking.dat
          Filesize

          189KB

          MD5

          c9f3dd6dddcd3beb7070d9f915219034

          SHA1

          c3f080523dc1b8c444742f372b9d212743b8a503

          SHA256

          65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

          SHA512

          41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\halterbreaking.dat
          Filesize

          189KB

          MD5

          c9f3dd6dddcd3beb7070d9f915219034

          SHA1

          c3f080523dc1b8c444742f372b9d212743b8a503

          SHA256

          65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

          SHA512

          41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

          Download Submit
        • memory/1576-132-0x0000000000000000-mapping.dmp
          Download
        • memory/3440-133-0x0000000000000000-mapping.dmp
          Download
        • memory/3440-136-0x0000025EDDF70000-0x0000025EDDF79000-memory.dmp
          Filesize

          36KB

          Download