Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 10:02
Static task
static1
Behavioral task
behavioral1
Sample
o5p0se/documents.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
o5p0se/documents.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
o5p0se/o5p0se.dll
Resource
win7-20220414-en
General
-
Target
o5p0se/documents.lnk
-
Size
2KB
-
MD5
221b153dbdad3521bda7049b4496238f
-
SHA1
5c912f7c3d1bbde2b5c6036e89944201907b8295
-
SHA256
b5f4d1173a053476903d2a8e193fd710bd011065e30855e259494a13f7f9b2da
-
SHA512
6296d4a54203680a79de1833b22d35c3e9d3808063777653d53c07d1d09201cc4ad56f150d3419c32faf926ada9567b3acf4e6572bee6901db54f19747fec377
Malware Config
Extracted
icedid
1060798742
carismorth.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 4656 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4656 rundll32.exe 4656 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2480 wrote to memory of 952 2480 cmd.exe cmd.exe PID 2480 wrote to memory of 952 2480 cmd.exe cmd.exe PID 952 wrote to memory of 4656 952 cmd.exe rundll32.exe PID 952 wrote to memory of 4656 952 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\o5p0se\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe o5p0se.dll, #12⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\rundll32.exerundll32.exe o5p0se.dll, #13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4656