Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-05-2022 16:03
Static task
static1
Behavioral task
behavioral1
Sample
documents.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
documents.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
textins.dll
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
textins.dll
Resource
win10v2004-20220414-en
General
-
Target
documents.lnk
-
Size
1KB
-
MD5
d61780458f992bdf77fe625dd1565e6c
-
SHA1
2dd14846649ebf8bd9ca7ae300087d021668bab9
-
SHA256
e160ad95d3c45196a978965356fbaad470f2e04c6dfdc62db94bcb9cf08c3a81
-
SHA512
7d376ee7d7d56295161af628e6b2922afa3886d05d99569f79910dce168309702f0a80e9498db465d685b2dd94fef91e0ba2c3a0d19d343d7f2e0c140e0b7c07
Malware Config
Extracted
icedid
3333102921
reapetzold.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2016 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2016 rundll32.exe 2016 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 2016 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1528 wrote to memory of 2016 1528 cmd.exe rundll32.exe PID 1528 wrote to memory of 2016 1528 cmd.exe rundll32.exe PID 1528 wrote to memory of 2016 1528 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" textins.dll,PluginInit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow