Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 07:15
Static task
static1
Behavioral task
behavioral1
Sample
sterlip/5.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
sterlip/5.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
sterlip/documents.lnk
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
sterlip/documents.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
sterlip/sterli0p.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
sterlip/sterli0p.dll
Resource
win10v2004-20220812-en
General
-
Target
sterlip/documents.lnk
-
Size
1KB
-
MD5
9629f10740cd3cb2765bb784d0e62dbc
-
SHA1
ef9019c89073520bdacc63bf93776fbe6a3d6aca
-
SHA256
e89cd1999517b47805106111e14de4a03669cac30adb3b3304655febce25955f
-
SHA512
094b0e4d4d7b6106e0b1cb4d32c124e62c691d3717af7b7a7bd3cb7d126adc33c79c816cc6ca00e162221804cf2b991d73159ff0b56a908fab5f7d6fa0a35e2a
Malware Config
Extracted
icedid
2260774107
godenfasternow.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 12 3604 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3604 rundll32.exe 3604 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 1988 wrote to memory of 260 1988 cmd.exe cmd.exe PID 1988 wrote to memory of 260 1988 cmd.exe cmd.exe PID 260 wrote to memory of 2580 260 cmd.exe cmd.exe PID 260 wrote to memory of 2580 260 cmd.exe cmd.exe PID 2580 wrote to memory of 3604 2580 cmd.exe rundll32.exe PID 2580 wrote to memory of 3604 2580 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\sterlip\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start 5.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K 5.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeRunDll32 sterli0p.dll,#14⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/260-132-0x0000000000000000-mapping.dmp
-
memory/2580-133-0x0000000000000000-mapping.dmp
-
memory/3604-134-0x0000000000000000-mapping.dmp
-
memory/3604-135-0x00007FFBAA960000-0x00007FFBAA9C3000-memory.dmpFilesize
396KB
-
memory/3604-136-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB