Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 07:42
Static task
static1
Behavioral task
behavioral1
Sample
demoscan-c49db520-dd57-4417-85a5-8dcf20de5330.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
demoscan-c49db520-dd57-4417-85a5-8dcf20de5330.lnk
Resource
win10v2004-20220812-en
General
-
Target
demoscan-c49db520-dd57-4417-85a5-8dcf20de5330.lnk
-
Size
1KB
-
MD5
8ca36e9fdc991883f27d51a0e82db255
-
SHA1
2cea6364d7592fd2d5ddc67ae6ec8caf08fb0cfb
-
SHA256
be55bf499476985669eb72638cce8015ff6f0e70ceb8f7eb21ef30100bef0a1e
-
SHA512
a0a57abab720f94b1d377954b1b3baaadfbebb9f97f1df76c2195fa887809014784653f6bbd0fd5b9db06cfb0a638b53663ebb981f4e35a31308dfffa92e4529
Malware Config
Extracted
icedid
976968029
triskawilko.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1736 rundll32.exe 4 1736 rundll32.exe 5 1736 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1736 rundll32.exe 1736 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1428 wrote to memory of 1824 1428 cmd.exe cmd.exe PID 1428 wrote to memory of 1824 1428 cmd.exe cmd.exe PID 1428 wrote to memory of 1824 1428 cmd.exe cmd.exe PID 1824 wrote to memory of 1736 1824 cmd.exe rundll32.exe PID 1824 wrote to memory of 1736 1824 cmd.exe rundll32.exe PID 1824 wrote to memory of 1736 1824 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\demoscan-c49db520-dd57-4417-85a5-8dcf20de5330.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start 9a97d472-03a2-4793-a553-5ececb38b438.png && start ru^n^d^l^l3^2 ed1a6704-e078-46a8-89d1-515032f1dff0.Q9s,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 ed1a6704-e078-46a8-89d1-515032f1dff0.Q9s,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1428-54-0x000007FEFB821000-0x000007FEFB823000-memory.dmpFilesize
8KB
-
memory/1736-144-0x0000000000000000-mapping.dmp
-
memory/1736-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1736-151-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB
-
memory/1824-89-0x0000000000000000-mapping.dmp
-
memory/1824-143-0x0000000002000000-0x0000000002010000-memory.dmpFilesize
64KB