Analysis
-
max time kernel
160s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
14-04-2022 15:02
Static task
static1
Behavioral task
behavioral1
Sample
document.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
document.lnk
Resource
win10v2004-20220331-en
Behavioral task
behavioral3
Sample
namr.dll
Resource
win7-20220331-en
Behavioral task
behavioral4
Sample
namr.dll
Resource
win10v2004-en-20220113
General
-
Target
document.lnk
-
Size
825B
-
MD5
8097815c15794edea58b9e1f89ee6994
-
SHA1
8b95eeaae1aacb1461357374514d356c022e14b5
-
SHA256
5d0e4719b91ef3f6a436bd76c6c47bc9561cba4918db1a34cc56bf28436cb222
-
SHA512
1b64d186c926173f0bff769ea9094754b7289d6a383e70d09c1f4bafd6ce5e8cbf4a482fe855aa186e7a101a3cbc5ba275deb35bed4aab31463a306ffd182e57
Malware Config
Extracted
icedid
2763712970
fikasterwer.top
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 12 788 rundll32.exe 63 788 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 788 rundll32.exe 788 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4496 wrote to memory of 2168 4496 cmd.exe cmd.exe PID 4496 wrote to memory of 2168 4496 cmd.exe cmd.exe PID 2168 wrote to memory of 788 2168 cmd.exe rundll32.exe PID 2168 wrote to memory of 788 2168 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\document.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32 namr.dll,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 namr.dll,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses