Overview
overview
10Static
static
ET.lnk
windows7-x64
10ET.lnk
windows10-2004-x64
10startles/alwinton.cmd
windows7-x64
1startles/alwinton.cmd
windows10-2004-x64
1startles/beriberi.cmd
windows7-x64
1startles/beriberi.cmd
windows10-2004-x64
1startles/racially.dll
windows7-x64
3startles/racially.dll
windows10-2004-x64
3Analysis
-
max time kernel
127s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 09:54
Static task
static1
Behavioral task
behavioral1
Sample
ET.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ET.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
startles/alwinton.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
startles/alwinton.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
startles/beriberi.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
startles/beriberi.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
startles/racially.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
startles/racially.dll
Resource
win10v2004-20220812-en
General
-
Target
ET.lnk
-
Size
1KB
-
MD5
ede918f2f8dfce7f7288eb102eddaff0
-
SHA1
11ff96d1dd5853afaef2b9aded027165b2d13344
-
SHA256
0dc469a094bef4df033b846708bab4c32cdca0595ef2210aaef1c834a49073cb
-
SHA512
33d2ac8d93747fd9c470ef64f4937a9be84f7b278157ec67c9f44cc33a69de4c0b11aa658754b02b53d78b40ce071a1799e32f13a9507b963c8110f5b6d3f5fb
Malware Config
Extracted
icedid
3738574432
aslowigza.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1468 rundll32.exe 4 1468 rundll32.exe 5 1468 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1468 rundll32.exe 1468 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 748 wrote to memory of 2036 748 cmd.exe cmd.exe PID 748 wrote to memory of 2036 748 cmd.exe cmd.exe PID 748 wrote to memory of 2036 748 cmd.exe cmd.exe PID 2036 wrote to memory of 1040 2036 cmd.exe cmd.exe PID 2036 wrote to memory of 1040 2036 cmd.exe cmd.exe PID 2036 wrote to memory of 1040 2036 cmd.exe cmd.exe PID 1040 wrote to memory of 1220 1040 cmd.exe replace.exe PID 1040 wrote to memory of 1220 1040 cmd.exe replace.exe PID 1040 wrote to memory of 1220 1040 cmd.exe replace.exe PID 1040 wrote to memory of 1468 1040 cmd.exe rundll32.exe PID 1040 wrote to memory of 1468 1040 cmd.exe rundll32.exe PID 1040 wrote to memory of 1468 1040 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ET.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c startles\beriberi.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K startles\alwinton.cmd system rundl3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A4⤵
-
C:\Windows\system32\rundll32.exerundll32 startles\\racially.tmp,init4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB
-
memory/1040-89-0x0000000000000000-mapping.dmp
-
memory/1220-90-0x0000000000000000-mapping.dmp
-
memory/1468-91-0x0000000000000000-mapping.dmp
-
memory/1468-92-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2036-88-0x0000000000000000-mapping.dmp