Overview
overview
10Static
static
ET.lnk
windows7-x64
10ET.lnk
windows10-1703-x64
10ET.lnk
windows10-2004-x64
10fumigating...es.cmd
windows7-x64
1fumigating...es.cmd
windows10-1703-x64
1fumigating...es.cmd
windows10-2004-x64
1fumigating/erupt.dll
windows7-x64
3fumigating/erupt.dll
windows10-1703-x64
3fumigating/erupt.dll
windows10-2004-x64
3fumigating...ty.cmd
windows7-x64
1fumigating...ty.cmd
windows10-1703-x64
1fumigating...ty.cmd
windows10-2004-x64
1Analysis
-
max time kernel
184s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 14:08
Static task
static1
Behavioral task
behavioral1
Sample
ET.lnk
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ET.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
ET.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
fumigating/actuaries.cmd
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
fumigating/actuaries.cmd
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
fumigating/actuaries.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
fumigating/erupt.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
fumigating/erupt.dll
Resource
win10-20220901-en
Behavioral task
behavioral9
Sample
fumigating/erupt.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral10
Sample
fumigating/perplexity.cmd
Resource
win7-20221111-en
Behavioral task
behavioral11
Sample
fumigating/perplexity.cmd
Resource
win10-20220901-en
Behavioral task
behavioral12
Sample
fumigating/perplexity.cmd
Resource
win10v2004-20221111-en
General
-
Target
ET.lnk
-
Size
1KB
-
MD5
4b80484dd006e1e0e88b4bd592e98da0
-
SHA1
5aa3d12864a2db3179d6a5f66ac293c57a332cf4
-
SHA256
999abe33ed3236e6e6a6864ab72b9e09ff9a4470783c746f068dea070020f147
-
SHA512
0ee0127c0ace5cd14e0b7bc09def52f9ff7ea8f39826c8236d4a4543a38d229aed704208c3c0b9ee41ce6e50fc97287cbf5a395fbf8ce72e73c7c3c337ad2c64
Malware Config
Extracted
icedid
3738574432
aslowigza.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 11 2320 rundll32.exe 28 2320 rundll32.exe 41 2320 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2320 rundll32.exe 2320 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 3900 wrote to memory of 4712 3900 cmd.exe cmd.exe PID 3900 wrote to memory of 4712 3900 cmd.exe cmd.exe PID 4712 wrote to memory of 1604 4712 cmd.exe cmd.exe PID 4712 wrote to memory of 1604 4712 cmd.exe cmd.exe PID 1604 wrote to memory of 3184 1604 cmd.exe replace.exe PID 1604 wrote to memory of 3184 1604 cmd.exe replace.exe PID 1604 wrote to memory of 2320 1604 cmd.exe rundll32.exe PID 1604 wrote to memory of 2320 1604 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ET.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fumigating\actuaries.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K fumigating\perplexity.cmd system rundl3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\replace.exereplace C:\Windows\\system32\\rundlr32.exe C:\Users\Admin\AppData\Local\Temp /A4⤵
-
C:\Windows\system32\rundll32.exerundll32 fumigating\\erupt.tmp,init4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1604-133-0x0000000000000000-mapping.dmp
-
memory/2320-135-0x0000000000000000-mapping.dmp
-
memory/2320-136-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3184-134-0x0000000000000000-mapping.dmp
-
memory/4712-132-0x0000000000000000-mapping.dmp