Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 17:07
Static task
static1
General
-
Target
Request-09-27-document-235.iso
-
Size
1.9MB
-
MD5
c7f65fb3d817ac077f6c75c852caeb05
-
SHA1
3632792b1e1643402fc88e76ed2c1734cc2b4d86
-
SHA256
a4843e1bfd7169fd3ff3207a39603ad4308dedb39dbf25a168cab916515f5104
-
SHA512
d700144a63d491ddf33d5419e2b1a321abc34264de80d3e5f0e5982fe25d39637bf4f2f63d463b30dedb2128550de5b525f1753113ea5d9498bd36f36378523b
-
SSDEEP
6144:JEF/cCDQ2eyT3Zw+p0Yyvq1i6qz/QeQqHDT4xE:IcmQ2es3Zw+pRcq1i6qhjS
Malware Config
Extracted
icedid
973312338
tezycronam.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 38 1560 rundll32.exe 40 1560 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1560 rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\E: cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1560 rundll32.exe 1560 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exedescription pid process Token: SeManageVolumePrivilege 4976 cmd.exe Token: SeManageVolumePrivilege 4976 cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 432 wrote to memory of 1360 432 cmd.exe xcopy.exe PID 432 wrote to memory of 1360 432 cmd.exe xcopy.exe PID 432 wrote to memory of 1560 432 cmd.exe rundll32.exe PID 432 wrote to memory of 1560 432 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Request-09-27-document-235.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\lab\highway.bat" "1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h lab\counterstriking.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\counterstriking.dat,#12⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\counterstriking.datFilesize
476KB
MD5b08263e98ccb3df9a0c3fe0c73dc182d
SHA15ec73ca508dbb7cb78db7927c1d1cf9449527c2e
SHA25671152944b4f8c0e57d77f75b509d46fe9ca20658d437c6983bbf766233b74cbf
SHA512c7978d374ad9c21769355e06ee89c1b46486330357a155fe8ce13ed65741e41dc9a80568cdda57587b0c8e829bc00140e82cc4c3be8eb3304aa8c0c7f1de9e01
-
C:\Users\Admin\AppData\Local\Temp\counterstriking.datFilesize
476KB
MD5b08263e98ccb3df9a0c3fe0c73dc182d
SHA15ec73ca508dbb7cb78db7927c1d1cf9449527c2e
SHA25671152944b4f8c0e57d77f75b509d46fe9ca20658d437c6983bbf766233b74cbf
SHA512c7978d374ad9c21769355e06ee89c1b46486330357a155fe8ce13ed65741e41dc9a80568cdda57587b0c8e829bc00140e82cc4c3be8eb3304aa8c0c7f1de9e01
-
memory/1360-132-0x0000000000000000-mapping.dmp
-
memory/1560-133-0x0000000000000000-mapping.dmp
-
memory/1560-136-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1560-142-0x0000016219AC0000-0x0000016219AC6000-memory.dmpFilesize
24KB