Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2022, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
Files Extracted from ISO/a4lomar.dll
Resource
win10v2004-20220721-en
0 signatures
150 seconds
General
-
Target
Files Extracted from ISO/documents.lnk
-
Size
1KB
-
MD5
cb688ad93e582b3ca1c9948afb890961
-
SHA1
28b2d8b2a2f344332b3fdb1aadb0b08cc463dbcd
-
SHA256
d0dcf0ef859cae89068152e08323fd7175eda951a050b36e11db29bcd931abe6
-
SHA512
80a1b76a131e09bcc077a4438ad8cacbd993963496d2ce4abcefa09ed00cd8e3ddc0268a1bdc66e571c3f766deb4c1a47a3e588db3483cd2bab848b849e44748
Malware Config
Extracted
Family
icedid
Campaign
312921187
C2
explorblins.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2136 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2136 rundll32.exe 2136 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1520 2160 cmd.exe 80 PID 2160 wrote to memory of 1520 2160 cmd.exe 80 PID 1520 wrote to memory of 2136 1520 cmd.exe 81 PID 1520 wrote to memory of 2136 1520 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\documents.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe a4lomar.dll, PluginInit2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\rundll32.exerundll32.exe a4lomar.dll, PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2136
-
-