Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
78bcac34-fc98-4310-a264-74194a64df6a.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
78bcac34-fc98-4310-a264-74194a64df6a.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
a51ae885-405c-4324-8173-7c83f1957f01.png
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
a51ae885-405c-4324-8173-7c83f1957f01.png
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
doc-0a43862f-fa4e-4402-826f-08b910d79ed4.lnk
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
doc-0a43862f-fa4e-4402-826f-08b910d79ed4.lnk
Resource
win10v2004-20220812-en
General
-
Target
doc-0a43862f-fa4e-4402-826f-08b910d79ed4.lnk
-
Size
1KB
-
MD5
a5c23348c8b4dabf839cd857919948b3
-
SHA1
6a57f8583f5704709051b2175bfe72daf1d21765
-
SHA256
667923db3ec71a122a52c895260e64568207c0eea7697d92c4df14428c911b20
-
SHA512
dfff66c6b69dcde0b164397dae47f3ca61dbbd00fb3fcaf1d8f10b8dc95ec6d496aa733d1845ecb4696c409acee5b4ef03ddf564c571da1dfa2b988294cf88e3
Malware Config
Extracted
icedid
976968029
triskawilko.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1700 rundll32.exe 4 1700 rundll32.exe 5 1700 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1700 rundll32.exe 1700 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 1808 1672 cmd.exe cmd.exe PID 1672 wrote to memory of 1808 1672 cmd.exe cmd.exe PID 1672 wrote to memory of 1808 1672 cmd.exe cmd.exe PID 1808 wrote to memory of 1700 1808 cmd.exe rundll32.exe PID 1808 wrote to memory of 1700 1808 cmd.exe rundll32.exe PID 1808 wrote to memory of 1700 1808 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\doc-0a43862f-fa4e-4402-826f-08b910d79ed4.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start a51ae885-405c-4324-8173-7c83f1957f01.png && start ru^n^d^l^l3^2 78bcac34-fc98-4310-a264-74194a64df6a.FZb,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 78bcac34-fc98-4310-a264-74194a64df6a.FZb,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1672-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/1700-144-0x0000000000000000-mapping.dmp
-
memory/1700-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1700-151-0x0000000000110000-0x0000000000116000-memory.dmpFilesize
24KB
-
memory/1808-89-0x0000000000000000-mapping.dmp
-
memory/1808-143-0x0000000001F70000-0x0000000001F80000-memory.dmpFilesize
64KB