Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 11:45
Static task
static1
Behavioral task
behavioral1
Sample
scan-eff31ce0-a3c0-46d8-908b-4e425511445e.lnk
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
scan-eff31ce0-a3c0-46d8-908b-4e425511445e.lnk
Resource
win10v2004-20220812-en
General
-
Target
scan-eff31ce0-a3c0-46d8-908b-4e425511445e.lnk
-
Size
1KB
-
MD5
8ff28dca0999e8569056509466709056
-
SHA1
7c035f7f672e4710e2cd56ceca55e8a380668342
-
SHA256
2b5bf9ed72e3456aa25a0c70166b18a1ea29c7b203b11fdc6a316b7b2658e786
-
SHA512
ecff57c3b2ea3eec5263f0a6a659f5f85e5caacd09002ad2c8cb716ca4a9a506d9a45e676c864a9a5088010a1e298302200cc1e5ae41958857e4eda25ffb1f63
Malware Config
Extracted
icedid
140125615
fireskupigar.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1260 rundll32.exe 4 1260 rundll32.exe 5 1260 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe 1260 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1380 wrote to memory of 1492 1380 cmd.exe cmd.exe PID 1380 wrote to memory of 1492 1380 cmd.exe cmd.exe PID 1380 wrote to memory of 1492 1380 cmd.exe cmd.exe PID 1492 wrote to memory of 1260 1492 cmd.exe rundll32.exe PID 1492 wrote to memory of 1260 1492 cmd.exe rundll32.exe PID 1492 wrote to memory of 1260 1492 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\scan-eff31ce0-a3c0-46d8-908b-4e425511445e.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start fcdb70d3-d57c-4d59-8fdc-0fb92d849a6f.png && start ru^n^d^l^l3^2 f9278b9d-76e2-4906-a05d-e32838817e53.ns7,PluginInit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 f9278b9d-76e2-4906-a05d-e32838817e53.ns7,PluginInit3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1260-144-0x0000000000000000-mapping.dmp
-
memory/1260-145-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1260-151-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/1380-54-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1492-89-0x0000000000000000-mapping.dmp
-
memory/1492-143-0x00000000021D0000-0x00000000021E0000-memory.dmpFilesize
64KB