Analysis
-
max time kernel
152s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 17:02
Static task
static1
Behavioral task
behavioral1
Sample
for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.lnk
Resource
win10v2004-20220812-en
General
-
Target
for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.lnk
-
Size
1KB
-
MD5
ac8170fe645bf52ef0404ca95dced2d3
-
SHA1
2fc3a8036b60f2ce158364a159ce6f856171da1b
-
SHA256
d1b1e998906a646d6fed13a7cd45846b07c4e417f0cc5d0e7c76c51f5b2a50ac
-
SHA512
c9d119d5dc4b82e8a55d761d91d9091c76073ccd59c7b838d1bb2d51a7006165066ad864886e98115153c632bf3842d53ce505c28603563190931b322d5215d7
Malware Config
Extracted
icedid
140125615
fireskupigar.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 3 692 rundll32.exe 4 692 rundll32.exe 5 692 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 692 rundll32.exe 692 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1020 wrote to memory of 1432 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 1432 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 1432 1020 cmd.exe cmd.exe PID 1432 wrote to memory of 692 1432 cmd.exe rundll32.exe PID 1432 wrote to memory of 692 1432 cmd.exe rundll32.exe PID 1432 wrote to memory of 692 1432 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\for_you_presentation-1724680a-9d89-40b7-8567-6c8e5dba127b.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start c1d5a960-e1ca-4722-bc48-2892378f13f0.png && start ru^n^d^l^l3^2 8a290699-bad2-42d6-940c-8d61de06774c.VF4,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 8a290699-bad2-42d6-940c-8d61de06774c.VF4,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-144-0x0000000000000000-mapping.dmp
-
memory/692-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/692-151-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/1020-54-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmpFilesize
8KB
-
memory/1432-89-0x0000000000000000-mapping.dmp
-
memory/1432-143-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB