Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2022 10:35
Static task
static1
General
-
Target
Document_OF62.iso
-
Size
428KB
-
MD5
88c823ff377b101e6f948f3f34b467c5
-
SHA1
ece067f744b35128b1ab6e0ddc142263ede1c3bd
-
SHA256
e6a2e75a6b2a3f2ac324ed063728d53dd0ff40e24e2abe11a725c41a54aabfe9
-
SHA512
ac31a111d171fb938665d84d76c026794efce66f45af8c738fc18cd569552a6d8f6b236cd71e6df3544ce45abceceeaef5147561f8c1e5f6107df3349cab11c3
-
SSDEEP
6144:dd1Im48xJjSbUhI77ETb+JS+lDDWbOrL/ZslDP/w+lDxlDuSTjQBRlDFKLEzbrbU:r1ImVJj0Rfyg7QKbuGiKpw9
Malware Config
Extracted
Family
icedid
Campaign
426369791
C2
ahilacarstrupert.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 45 2508 rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.execmd.exedescription ioc process File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2508 rundll32.exe 2508 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exedescription pid process Token: SeManageVolumePrivilege 4412 cmd.exe Token: SeManageVolumePrivilege 4412 cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1372 wrote to memory of 4816 1372 cmd.exe cmd.exe PID 1372 wrote to memory of 4816 1372 cmd.exe cmd.exe PID 4816 wrote to memory of 1328 4816 cmd.exe replace.exe PID 4816 wrote to memory of 1328 4816 cmd.exe replace.exe PID 4816 wrote to memory of 2508 4816 cmd.exe rundll32.exe PID 4816 wrote to memory of 2508 4816 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Document_OF62.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\belts\coleman.cmd" "1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K belts\sinus.cmd system rundl2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\rundll32.exe C:\Users\Admin\AppData\Local\Temp /A3⤵PID:1328
-
C:\Windows\system32\rundll32.exerundll32.exe belts\anyhow.tmp,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1328-133-0x0000000000000000-mapping.dmp
-
memory/2508-134-0x0000000000000000-mapping.dmp
-
memory/2508-135-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2508-141-0x000001BE37D30000-0x000001BE37D36000-memory.dmpFilesize
24KB
-
memory/4816-132-0x0000000000000000-mapping.dmp