Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
iso/am1lo4.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
iso/am1lo4.dll
Resource
win10v2004-20220718-en
Behavioral task
behavioral3
Sample
iso/documents.lnk
Resource
win7-20220718-en
Behavioral task
behavioral4
Sample
iso/documents.lnk
Resource
win10v2004-20220718-en
General
-
Target
iso/documents.lnk
-
Size
1KB
-
MD5
8b6854e62af721babbb0a3770fe4e4f8
-
SHA1
0358318460abb60d09bef967408870b805cac041
-
SHA256
f6be0f739a1130aa6f0155b890038a8857da52e79471bf337384662470bd6d9e
-
SHA512
338c786fba164c8a626b66ccde4e04b3ee06c7abaef0ad34b3034a4e71852619ddd37aa5ba96f6ef20ddf3133b787c750fde0d3db0e6ac604de2fe354b4921ba
Malware Config
Extracted
icedid
1094353980
aftersunicox.com
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 1424 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1424 rundll32.exe 1424 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 908 wrote to memory of 592 908 cmd.exe 29 PID 908 wrote to memory of 592 908 cmd.exe 29 PID 908 wrote to memory of 592 908 cmd.exe 29 PID 592 wrote to memory of 1424 592 cmd.exe 30 PID 592 wrote to memory of 1424 592 cmd.exe 30 PID 592 wrote to memory of 1424 592 cmd.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iso\documents.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe am1lo4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\rundll32.exerundll32.exe am1lo4.dll,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1424
-
-