Overview

overview

10

Static

static

Paid_Offer...19.iso

windows7-x64

10

Paid_Offer...19.iso

windows10-2004-x64

3

Resubmissions

23-01-2023 14:03

230123-rctv5sfb2w 10

23-01-2023 13:59

230123-ran7wafa9v 10

Analysis

  • max time kernel
    132s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2023 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Paid_Offer_83_Jan_19.iso

  • Size

    2.1MB

  • MD5

    ff20b342043378b018b88b39d572dfc5

  • SHA1

    d69b4ef00f4635c01302767bbdbb0a24bd7bb9fa

  • SHA256

    2189c2323d2e626f7daa81eeccb6cfb225d3866a0d4532aef070711ac59b09c7

  • SHA512

    e428688b9ef005a1e2ab75a3e2b25b0887bbdac44d145e9cb2957f050d3aa26782157acb82d03755fb487fe15539d3ab44d68fac4cc20cd7565a6c290e49f00a

  • SSDEEP

    24576:rkmZDEMHhp9v1Ikbn3ND0TAVOsIut8P4zlIKE2r/7Bk:QmZFHhp9v1Io3h0TA3pJk

Score
10/10
icedid3108046779bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

3108046779

C2

klayerziluska.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Paid_Offer_83_Jan_19.iso
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\System32\isoburn.exe
      "C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Paid_Offer_83_Jan_19.iso"
      2⤵
        PID:540
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1488
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x56c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1856
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Paid_Offer_83_Jan_19\" -spe -an -ai#7zMap25875:120:7zEvent28020
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1208
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:1716
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:1476
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c ragpewleaK\lawfinledr.cmd A B C D I F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\system32\xcopy.exe
            xcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*
            2⤵
              PID:1100
            • C:\Windows\system32\rundll32.exe
              rundll32 C:\Users\Admin\AppData\Local\Temp\overprogramming.dat,init
              2⤵
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:1692

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Paid_Offer_83_Jan_19\ragpewleaK\lawfinledr.cmd
            Filesize

            1KB

            MD5

            880e05a13f96ec1966bebc56ce28ac96

            SHA1

            1e6ec2192a1d600345ea70943a88a393207535bb

            SHA256

            e6e9765ed0af3c72e79d8685b1ecbe57e1e3e0c05cdce7191e7edc7bfd16e086

            SHA512

            c2baaff90e0a667dd9f9fdb43a61435b33c5e35b2b38cfe6868ef6e0f488965555afd93f096e0d94cc7d9c9a241d1e4b37f508653e03de00aabb0e44f45bf015

            Download Submit
          • C:\Paid_Offer_83_Jan_19\ragpewleaK\overprogramming.dat
            Filesize

            1002KB

            MD5

            d0515acd0a80ad5273ad189e72aca86f

            SHA1

            494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5

            SHA256

            265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844

            SHA512

            2da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\overprogramming.dat
            Filesize

            1002KB

            MD5

            d0515acd0a80ad5273ad189e72aca86f

            SHA1

            494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5

            SHA256

            265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844

            SHA512

            2da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa

            Download Submit
          • \Users\Admin\AppData\Local\Temp\overprogramming.dat
            Filesize

            1002KB

            MD5

            d0515acd0a80ad5273ad189e72aca86f

            SHA1

            494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5

            SHA256

            265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844

            SHA512

            2da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa

            Download Submit
          • memory/540-76-0x0000000000000000-mapping.dmp
            Download
          • memory/1100-86-0x0000000000000000-mapping.dmp
            Download
          • memory/1168-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1692-88-0x0000000000000000-mapping.dmp
            Download
          • memory/1692-91-0x0000000000110000-0x0000000000119000-memory.dmp
            Filesize

            36KB

            Download