Analysis
-
max time kernel
39s -
max time network
64s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
768327532892733679.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
768327532892733679.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
INV871623.txt.lnk
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
INV871623.txt.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
THjkgeCbhjm.ps1
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
THjkgeCbhjm.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
notice.txt
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
notice.txt
Resource
win10v2004-20220414-en
General
-
Target
THjkgeCbhjm.ps1
-
Size
69B
-
MD5
c7f314e4db039ed46f95c7747d3ecec9
-
SHA1
3d448506d12a2274424bb24ef9519472fdd5285c
-
SHA256
caf8215e7e34ce4d16a2e1ee7ad3089bc815d243f84e8e8dffc190983cebc441
-
SHA512
ce20bea4d6692996b29a9c22e5deb04fe5aa186a5235ee213dd19bdb962bff8cf618feec912b06c66b76c3830f8a36179e371680c28d89e5a865518e28161fdf
Malware Config
Extracted
icedid
1825398430
ciaontroni.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 3 2012 rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2024 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exerundll32.exepid process 1908 powershell.exe 1908 powershell.exe 1908 powershell.exe 2012 rundll32.exe 2012 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1908 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 1908 wrote to memory of 2024 1908 powershell.exe NOTEPAD.EXE PID 1908 wrote to memory of 2024 1908 powershell.exe NOTEPAD.EXE PID 1908 wrote to memory of 2024 1908 powershell.exe NOTEPAD.EXE PID 1908 wrote to memory of 2012 1908 powershell.exe rundll32.exe PID 1908 wrote to memory of 2012 1908 powershell.exe rundll32.exe PID 1908 wrote to memory of 2012 1908 powershell.exe rundll32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\THjkgeCbhjm.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\notice.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2024 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" 768327532892733679.dll #12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2012