Analysis
-
max time kernel
138s -
max time network
88s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
22-04-2022 14:23
Static task
static1
General
-
Target
StolenImages_Evidence(1).iso
-
Size
1.4MB
-
MD5
647a39e32ba67b6b6969ad5d864ab5d8
-
SHA1
ec9f8e07ae1e6dd1baa9e5d26b071d53e0d2d3cb
-
SHA256
9b86e6c877fccdb1d372f082d6316ebed0d0f1603b9a2138a0f3b83b065ec4af
-
SHA512
7f853cdfe819f33cd95e477846aae730f77b6e293e596fa54aef8acae8b7e64cbcc59bce0566df09cf107f3c8a01475a370531e8884d4b6ad163d8f586e8fcd3
Malware Config
Extracted
icedid
1311869889
morginakolim.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 4 4988 rundll32.exe 7 4136 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 4988 rundll32.exe 4136 rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exetaskmgr.exerundll32.exepid process 4988 rundll32.exe 4988 rundll32.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 4136 rundll32.exe 4136 rundll32.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zFM.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 4968 7zFM.exe Token: 35 4968 7zFM.exe Token: SeSecurityPrivilege 4968 7zFM.exe Token: SeDebugPrivilege 1560 taskmgr.exe Token: SeSystemProfilePrivilege 1560 taskmgr.exe Token: SeCreateGlobalPrivilege 1560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
7zFM.exetaskmgr.exepid process 4968 7zFM.exe 4968 7zFM.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4200 wrote to memory of 4988 4200 cmd.exe rundll32.exe PID 4200 wrote to memory of 4988 4200 cmd.exe rundll32.exe PID 4172 wrote to memory of 4136 4172 cmd.exe rundll32.exe PID 4172 wrote to memory of 4136 4172 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\StolenImages_Evidence(1).iso1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StolenImages_Evidence(1).iso"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe oloqr4.dll,PluginInit1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe oloqr4.dll,PluginInit2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe oloqr4.dll,PluginInit1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe oloqr4.dll,PluginInit2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\oloqr4.dllFilesize
324KB
MD5051a933289b09b0792c14400a26d0f04
SHA18943f0ed935b80209babaaa4100ffecc038f9266
SHA256d915e8d81222820493acd9ac80b7936d32d92b33e514deb10039ac7ac0c7fd24
SHA5122f4269510515d4a33130df1507bffa3d569ecef3b8e06c6f620de2ffe73bbd7742d98e344b4cfacfb71aeb3bd7b8465e5ea9156cb159a6b7016962bd24adfe64
-
\Users\Admin\Desktop\oloqr4.dllFilesize
324KB
MD5051a933289b09b0792c14400a26d0f04
SHA18943f0ed935b80209babaaa4100ffecc038f9266
SHA256d915e8d81222820493acd9ac80b7936d32d92b33e514deb10039ac7ac0c7fd24
SHA5122f4269510515d4a33130df1507bffa3d569ecef3b8e06c6f620de2ffe73bbd7742d98e344b4cfacfb71aeb3bd7b8465e5ea9156cb159a6b7016962bd24adfe64
-
\Users\Admin\Desktop\oloqr4.dllFilesize
324KB
MD5051a933289b09b0792c14400a26d0f04
SHA18943f0ed935b80209babaaa4100ffecc038f9266
SHA256d915e8d81222820493acd9ac80b7936d32d92b33e514deb10039ac7ac0c7fd24
SHA5122f4269510515d4a33130df1507bffa3d569ecef3b8e06c6f620de2ffe73bbd7742d98e344b4cfacfb71aeb3bd7b8465e5ea9156cb159a6b7016962bd24adfe64
-
memory/4136-127-0x0000000000000000-mapping.dmp
-
memory/4988-118-0x0000000000000000-mapping.dmp
-
memory/4988-121-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB