Analysis
-
max time kernel
91s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 17:34
Static task
static1
Behavioral task
behavioral1
Sample
documents.lnk
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
documents.lnk
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
hertbe.dll
Resource
win7-20220414-en
General
-
Target
documents.lnk
-
Size
2KB
-
MD5
73a8d2488fda1347130de9f0efec4f6b
-
SHA1
e5bc7521dbfe149fa8f6df6a0ce5e5d99223a3d0
-
SHA256
2254ed69e23e3f357b4283a055d0841d77c298c30052113b8e4a841d5b5b66ab
-
SHA512
d2003816e2e8114e4c5f8aec410c6694d733b818d63d66b4a1d8bd78bf25eba8cb5f3f260efee8709322031475796e9ef7a835928fbdb27a9c6cb8fbe6e97130
Malware Config
Extracted
icedid
1044021123
carismorth.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 13 4728 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4728 rundll32.exe 4728 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4164 wrote to memory of 4104 4164 cmd.exe cmd.exe PID 4164 wrote to memory of 4104 4164 cmd.exe cmd.exe PID 4104 wrote to memory of 4728 4104 cmd.exe rundll32.exe PID 4104 wrote to memory of 4728 4104 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe hertbe.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe hertbe.dll,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses