Overview
overview
10Static
static
ET.lnk
windows7-x64
10ET.lnk
windows10-1703-x64
10ET.lnk
windows10-2004-x64
10developer/...ng.cmd
windows7-x64
1developer/...ng.cmd
windows10-1703-x64
1developer/...ng.cmd
windows10-2004-x64
1developer/inhales.cmd
windows7-x64
1developer/inhales.cmd
windows10-1703-x64
1developer/inhales.cmd
windows10-2004-x64
1developer/...ss.dll
windows7-x64
3developer/...ss.dll
windows10-1703-x64
3developer/...ss.dll
windows10-2004-x64
3Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-12-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
ET.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ET.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
ET.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
developer/becoming.cmd
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
developer/becoming.cmd
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
developer/becoming.cmd
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
developer/inhales.cmd
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
developer/inhales.cmd
Resource
win10-20220901-en
Behavioral task
behavioral9
Sample
developer/inhales.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
developer/nevertheless.dll
Resource
win7-20221111-en
Behavioral task
behavioral11
Sample
developer/nevertheless.dll
Resource
win10-20220901-en
Behavioral task
behavioral12
Sample
developer/nevertheless.dll
Resource
win10v2004-20221111-en
General
-
Target
ET.lnk
-
Size
1KB
-
MD5
02f57b1af9c0719d29175743a380e724
-
SHA1
de0f7e98cb9fffd835601f32b671778fe8e6cb7b
-
SHA256
54ea0e71bfa44198d69f3f08e3e6a21545034922c8d42b25ac698985be076133
-
SHA512
4ae240b7dcf6a0263bf9b7669ff52d73d3bd03e47f93c4a44785876ba57865867eceeed8fe8fdb1427ab9c65711256b81f7f51f63ec67653fa88314c57809705
Malware Config
Extracted
icedid
3738574432
aslowigza.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 584 rundll32.exe 4 584 rundll32.exe 5 584 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 584 rundll32.exe 584 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 544 wrote to memory of 2020 544 cmd.exe cmd.exe PID 544 wrote to memory of 2020 544 cmd.exe cmd.exe PID 544 wrote to memory of 2020 544 cmd.exe cmd.exe PID 2020 wrote to memory of 1768 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 1768 2020 cmd.exe cmd.exe PID 2020 wrote to memory of 1768 2020 cmd.exe cmd.exe PID 1768 wrote to memory of 664 1768 cmd.exe replace.exe PID 1768 wrote to memory of 664 1768 cmd.exe replace.exe PID 1768 wrote to memory of 664 1768 cmd.exe replace.exe PID 1768 wrote to memory of 584 1768 cmd.exe rundll32.exe PID 1768 wrote to memory of 584 1768 cmd.exe rundll32.exe PID 1768 wrote to memory of 584 1768 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ET.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c developer\becoming.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K developer\inhales.cmd system rundl3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A4⤵
-
C:\Windows\system32\rundll32.exerundll32 developer\\nevertheless.tmp,init4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-54-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmpFilesize
8KB
-
memory/584-91-0x0000000000000000-mapping.dmp
-
memory/584-92-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/664-90-0x0000000000000000-mapping.dmp
-
memory/1768-89-0x0000000000000000-mapping.dmp
-
memory/2020-88-0x0000000000000000-mapping.dmp