Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 19:37
Static task
static1
Behavioral task
behavioral1
Sample
scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk
Resource
win10v2004-20220901-en
General
-
Target
scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk
-
Size
1KB
-
MD5
87e7e9a47ce80f3e08c9f68b903a92fa
-
SHA1
b529db83c6c9ed87874139b2c26dd98010a08716
-
SHA256
327ca4b52987166a7c70153317423d47ea8682f7a1930ee5c9d85a5085070a7a
-
SHA512
407aacaca065d82091bceeae8388bc6043f16eda7c19286312615caedcf3db10cc3a831ac324c6592b4c31d4b5d9fd50d60f385ed4da5de4debc84b81c683222
Malware Config
Extracted
icedid
976968029
triskawilko.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 2044 rundll32.exe 4 2044 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2044 rundll32.exe 2044 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1884 wrote to memory of 564 1884 cmd.exe cmd.exe PID 1884 wrote to memory of 564 1884 cmd.exe cmd.exe PID 1884 wrote to memory of 564 1884 cmd.exe cmd.exe PID 564 wrote to memory of 2044 564 cmd.exe rundll32.exe PID 564 wrote to memory of 2044 564 cmd.exe rundll32.exe PID 564 wrote to memory of 2044 564 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\scan-51ea58dd-5b6a-4f56-9717-b102df29341d.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start f9382d62-4430-4827-8142-a001624533d3.png && start ru^n^d^l^l3^2 726b3c59-d5fb-430f-9190-c7e885ac91f3.neU,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 726b3c59-d5fb-430f-9190-c7e885ac91f3.neU,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/564-89-0x0000000000000000-mapping.dmp
-
memory/564-143-0x00000000022D0000-0x00000000022E0000-memory.dmpFilesize
64KB
-
memory/1884-54-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmpFilesize
8KB
-
memory/2044-144-0x0000000000000000-mapping.dmp
-
memory/2044-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2044-151-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB