Overview
overview
10Static
static
Invoice_PDF#3323.iso
windows7-x64
10Invoice_PDF#3323.iso
windows10-2004-x64
3Invoice_PDF.lnk
windows7-x64
3Invoice_PDF.lnk
windows10-2004-x64
3unamortize...es.dll
windows7-x64
10unamortize...es.dll
windows10-2004-x64
10unamortize...ns.cmd
windows7-x64
1unamortize...ns.cmd
windows10-2004-x64
1unamortize...red.js
windows7-x64
3unamortize...red.js
windows10-2004-x64
1Analysis
-
max time kernel
600s -
max time network
601s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 15:16
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_PDF#3323.iso
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Invoice_PDF#3323.iso
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
Invoice_PDF.lnk
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Invoice_PDF.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
unamortized/greenflies.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
unamortized/greenflies.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
unamortized/suspiciousEns.cmd
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
unamortized/suspiciousEns.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
unamortized/unquestioninglySheltered.js
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
unamortized/unquestioninglySheltered.js
Resource
win10v2004-20220901-en
General
-
Target
Invoice_PDF#3323.iso
-
Size
1.0MB
-
MD5
9b5215624a292a67f7509361b5dda6cc
-
SHA1
36ff1eb10897ec793952ec048c66bf49405bf3b6
-
SHA256
04dfc89aacade90557c6006bc54fc9055c7e813f1b8d9f036b32f2cc2256e319
-
SHA512
22c6705da86e02e74e77a9685003513d1b9c77dfcaef050b29412e004c5415b369ee6066c8fe2bbb67c15f08728795fb011236972599ed83264b4c92f378ee57
-
SSDEEP
24576:0NSuK0NnWHpHpNHH2w2wywFHHyH5HGw9G:buKEWHpHpNHH2w2wywFHHyH5HGw9G
Malware Config
Extracted
icedid
2399258081
eysneolissionsm.com
Signatures
-
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 4 1100 rundll32.exe 5 756 rundll32.exe 6 1100 rundll32.exe 7 756 rundll32.exe 8 1100 rundll32.exe 9 756 rundll32.exe 10 1100 rundll32.exe 11 756 rundll32.exe 12 1100 rundll32.exe 13 756 rundll32.exe 15 1100 rundll32.exe 16 756 rundll32.exe 17 1100 rundll32.exe 18 756 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exerundll32.exepid process 1100 rundll32.exe 1100 rundll32.exe 756 rundll32.exe 756 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
7zG.exe7zG.exeAUDIODG.EXE7zG.exe7zG.exedescription pid process Token: SeRestorePrivilege 1984 7zG.exe Token: 35 1984 7zG.exe Token: SeSecurityPrivilege 1984 7zG.exe Token: SeSecurityPrivilege 1984 7zG.exe Token: SeRestorePrivilege 1800 7zG.exe Token: 35 1800 7zG.exe Token: SeSecurityPrivilege 1800 7zG.exe Token: SeSecurityPrivilege 1800 7zG.exe Token: 33 896 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 896 AUDIODG.EXE Token: 33 896 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 896 AUDIODG.EXE Token: SeRestorePrivilege 1772 7zG.exe Token: 35 1772 7zG.exe Token: SeSecurityPrivilege 1772 7zG.exe Token: SeSecurityPrivilege 1772 7zG.exe Token: SeRestorePrivilege 1576 7zG.exe Token: 35 1576 7zG.exe Token: SeSecurityPrivilege 1576 7zG.exe Token: SeSecurityPrivilege 1576 7zG.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
7zG.exe7zG.exe7zG.exe7zG.exepid process 1984 7zG.exe 1800 7zG.exe 1772 7zG.exe 1576 7zG.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exeWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 1964 wrote to memory of 1332 1964 cmd.exe isoburn.exe PID 1964 wrote to memory of 1332 1964 cmd.exe isoburn.exe PID 1964 wrote to memory of 1332 1964 cmd.exe isoburn.exe PID 1824 wrote to memory of 964 1824 WScript.exe cmd.exe PID 1824 wrote to memory of 964 1824 WScript.exe cmd.exe PID 1824 wrote to memory of 964 1824 WScript.exe cmd.exe PID 964 wrote to memory of 1100 964 cmd.exe rundll32.exe PID 964 wrote to memory of 1100 964 cmd.exe rundll32.exe PID 964 wrote to memory of 1100 964 cmd.exe rundll32.exe PID 1916 wrote to memory of 776 1916 WScript.exe cmd.exe PID 1916 wrote to memory of 776 1916 WScript.exe cmd.exe PID 1916 wrote to memory of 776 1916 WScript.exe cmd.exe PID 776 wrote to memory of 756 776 cmd.exe rundll32.exe PID 776 wrote to memory of 756 776 cmd.exe rundll32.exe PID 776 wrote to memory of 756 776 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323.iso1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323.iso"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323\" -ad -an -ai#7zMap5429:112:7zEvent296741⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323\" -ad -an -ai#7zMap20945:112:7zEvent80651⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2401⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Invoice_PDF#3323\" -spe -an -ai#7zMap8893:112:7zEvent218381⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap5751:90:7zEvent118361⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\unamortized\unquestioninglySheltered.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\unamortized\suspiciousEns.cmd" DLL"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerunDLL32 unamortized\greenflies.db,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\unamortized\unquestioninglySheltered.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\unamortized\suspiciousEns.cmd" DLL"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerunDLL32 unamortized\greenflies.db,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c ""C:\unamortized\suspiciousEns.cmd" "1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-94-0x0000000000000000-mapping.dmp
-
memory/776-93-0x0000000000000000-mapping.dmp
-
memory/964-90-0x0000000000000000-mapping.dmp
-
memory/1100-91-0x0000000000000000-mapping.dmp
-
memory/1100-95-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1100-101-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB
-
memory/1332-76-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmpFilesize
8KB