Analysis
-
max time kernel
103s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
iso/am1lo4.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
iso/am1lo4.dll
Resource
win10v2004-20220718-en
Behavioral task
behavioral3
Sample
iso/documents.lnk
Resource
win7-20220718-en
Behavioral task
behavioral4
Sample
iso/documents.lnk
Resource
win10v2004-20220718-en
General
-
Target
iso/documents.lnk
-
Size
1KB
-
MD5
8b6854e62af721babbb0a3770fe4e4f8
-
SHA1
0358318460abb60d09bef967408870b805cac041
-
SHA256
f6be0f739a1130aa6f0155b890038a8857da52e79471bf337384662470bd6d9e
-
SHA512
338c786fba164c8a626b66ccde4e04b3ee06c7abaef0ad34b3034a4e71852619ddd37aa5ba96f6ef20ddf3133b787c750fde0d3db0e6ac604de2fe354b4921ba
Malware Config
Extracted
icedid
1094353980
aftersunicox.com
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 656 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2783062828-828903012-4218294845-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 656 rundll32.exe 656 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1404 wrote to memory of 1876 1404 cmd.exe 77 PID 1404 wrote to memory of 1876 1404 cmd.exe 77 PID 1876 wrote to memory of 656 1876 cmd.exe 78 PID 1876 wrote to memory of 656 1876 cmd.exe 78
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iso\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe am1lo4.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\rundll32.exerundll32.exe am1lo4.dll,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:656
-
-