Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 15:23
Static task
static1
Behavioral task
behavioral1
Sample
scan-8b2bda1b-2536-411b-a1b3-f54ce7e73124.iso
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
scan-8b2bda1b-2536-411b-a1b3-f54ce7e73124.iso
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
3270265e-2684-4dd5-a085-ade5cf0a4a35.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
3270265e-2684-4dd5-a085-ade5cf0a4a35.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
scan-8b2bda1b-2536-411b-a1b3-f54ce7e73124.lnk
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
scan-8b2bda1b-2536-411b-a1b3-f54ce7e73124.lnk
Resource
win10v2004-20220812-en
General
-
Target
scan-8b2bda1b-2536-411b-a1b3-f54ce7e73124.lnk
-
Size
1KB
-
MD5
00718d06a456f725b8e021b28f61aad0
-
SHA1
733a257e57ab16c206bd991c13ee5d9779a179ea
-
SHA256
afdf46308c8696f9c9e8b1d0b8ab3889b81758506a4e7ab5cc028a5db1599e64
-
SHA512
c1cbe2ef4e766b16d29a8fa87bad3944560c7307c993f49f12a310e32bc1653a79327d1ef78aebb031dc19d3f2c044301c6178743f491f5f1b87eb69187a8e16
Malware Config
Extracted
icedid
140125615
fireskupigar.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1816 rundll32.exe 4 1816 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1816 rundll32.exe 1816 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 884 wrote to memory of 1768 884 cmd.exe cmd.exe PID 884 wrote to memory of 1768 884 cmd.exe cmd.exe PID 884 wrote to memory of 1768 884 cmd.exe cmd.exe PID 1768 wrote to memory of 1816 1768 cmd.exe rundll32.exe PID 1768 wrote to memory of 1816 1768 cmd.exe rundll32.exe PID 1768 wrote to memory of 1816 1768 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\scan-8b2bda1b-2536-411b-a1b3-f54ce7e73124.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start 192c0974-e386-46df-9219-6f8c457925f8.png && start ru^n^d^l^l3^2 3270265e-2684-4dd5-a085-ade5cf0a4a35.fVj,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 3270265e-2684-4dd5-a085-ade5cf0a4a35.fVj,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/884-54-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1768-89-0x0000000000000000-mapping.dmp
-
memory/1768-143-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/1816-144-0x0000000000000000-mapping.dmp
-
memory/1816-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1816-151-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB