Overview
overview
10Static
static
ET.lnk
windows7-x64
10ET.lnk
windows10-2004-x64
10startles/alwinton.cmd
windows7-x64
1startles/alwinton.cmd
windows10-2004-x64
1startles/beriberi.cmd
windows7-x64
1startles/beriberi.cmd
windows10-2004-x64
1startles/racially.dll
windows7-x64
3startles/racially.dll
windows10-2004-x64
3Analysis
-
max time kernel
151s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 09:54
Static task
static1
Behavioral task
behavioral1
Sample
ET.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ET.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
startles/alwinton.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
startles/alwinton.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
startles/beriberi.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
startles/beriberi.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
startles/racially.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
startles/racially.dll
Resource
win10v2004-20220812-en
General
-
Target
ET.lnk
-
Size
1KB
-
MD5
ede918f2f8dfce7f7288eb102eddaff0
-
SHA1
11ff96d1dd5853afaef2b9aded027165b2d13344
-
SHA256
0dc469a094bef4df033b846708bab4c32cdca0595ef2210aaef1c834a49073cb
-
SHA512
33d2ac8d93747fd9c470ef64f4937a9be84f7b278157ec67c9f44cc33a69de4c0b11aa658754b02b53d78b40ce071a1799e32f13a9507b963c8110f5b6d3f5fb
Malware Config
Extracted
icedid
3738574432
aslowigza.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 20 3772 rundll32.exe 55 3772 rundll32.exe 88 3772 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3772 rundll32.exe 3772 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 380 wrote to memory of 3600 380 cmd.exe cmd.exe PID 380 wrote to memory of 3600 380 cmd.exe cmd.exe PID 3600 wrote to memory of 3408 3600 cmd.exe cmd.exe PID 3600 wrote to memory of 3408 3600 cmd.exe cmd.exe PID 3408 wrote to memory of 1752 3408 cmd.exe replace.exe PID 3408 wrote to memory of 1752 3408 cmd.exe replace.exe PID 3408 wrote to memory of 3772 3408 cmd.exe rundll32.exe PID 3408 wrote to memory of 3772 3408 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ET.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c startles\beriberi.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K startles\alwinton.cmd system rundl3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A4⤵
-
C:\Windows\system32\rundll32.exerundll32 startles\\racially.tmp,init4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1752-134-0x0000000000000000-mapping.dmp
-
memory/3408-133-0x0000000000000000-mapping.dmp
-
memory/3600-132-0x0000000000000000-mapping.dmp
-
memory/3772-135-0x0000000000000000-mapping.dmp
-
memory/3772-136-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB