Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-06-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
iced/Microsoft_Teams_installer.exe.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
iced/Microsoft_Teams_installer.exe.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
iced/run.dll
Resource
win7-20220414-en
General
-
Target
iced/Microsoft_Teams_installer.exe.lnk
-
Size
2KB
-
MD5
78496da0b847ceb2d84d4ea53b21db48
-
SHA1
ee26f8ba4f9c30dc94584f413405fdcf58d14d22
-
SHA256
bd05a4dc16dc60ac36f2635ede515238c66c18717626c5f7ec27c77738bc7816
-
SHA512
e2dfcec7218cf74d530ececa384d20ecc40582a04df8c77d1b8dddcfdf3224d239cb60dad44530eb16cd2a4248e956ba8a9c7363f1e2019e2d2428c52f878a4d
Malware Config
Extracted
icedid
3366658159
plocganga.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 4628 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4628 rundll32.exe 4628 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4224 wrote to memory of 4204 4224 cmd.exe cmd.exe PID 4224 wrote to memory of 4204 4224 cmd.exe cmd.exe PID 4204 wrote to memory of 4628 4204 cmd.exe rundll32.exe PID 4204 wrote to memory of 4628 4204 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iced\Microsoft_Teams_installer.exe.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32 run.dll,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 run.dll,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses