Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-12-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
iced2/Irs.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
iced2/Irs.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
iced2/secgymoddkid/electrofishing.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
iced2/secgymoddkid/electrofishing.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
iced2/secgymoddkid/sewala.cmd
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
iced2/secgymoddkid/sewala.cmd
Resource
win10v2004-20221111-en
General
-
Target
iced2/Irs.lnk
-
Size
2KB
-
MD5
ed82b09fbd31c19a4a0aa50659dfa954
-
SHA1
e331feabbc2305bec1c1c9dfa021087ea3b4d5c1
-
SHA256
f79d35810f6088c5bce23c8273ab17116ba575e676bef707185724a10984affb
-
SHA512
50fc4e0f2d0980ffd494414ae827e793a17fcc4d2116bbf95ff6445573a5124c79e07ebbf7af8d0003343e62ba20b7f81d0aedc5f18f0cff2ef30542718148b0
Malware Config
Extracted
icedid
1268412609
ewgahskoot.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1796 rundll32.exe 4 1796 rundll32.exe 5 1796 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1796 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1796 rundll32.exe 1796 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1408 wrote to memory of 1784 1408 cmd.exe cmd.exe PID 1408 wrote to memory of 1784 1408 cmd.exe cmd.exe PID 1408 wrote to memory of 1784 1408 cmd.exe cmd.exe PID 1784 wrote to memory of 1120 1784 cmd.exe xcopy.exe PID 1784 wrote to memory of 1120 1784 cmd.exe xcopy.exe PID 1784 wrote to memory of 1120 1784 cmd.exe xcopy.exe PID 1784 wrote to memory of 1796 1784 cmd.exe rundll32.exe PID 1784 wrote to memory of 1796 1784 cmd.exe rundll32.exe PID 1784 wrote to memory of 1796 1784 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iced2\Irs.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c secgymoddkid\sewala.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h secgymoddkid\electrofishing.tmp C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\electrofishing.tmp,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\electrofishing.tmpFilesize
374KB
MD584e6e93a8f4b9fd5810052d501cde0ef
SHA11be390eeb1fc440f0ac7aae3f3a30406b735e8ae
SHA2569141d339ec21a8b8c71df0ffa8a205c9d8af4441e74f7548e6847c106c663b23
SHA5124925461622045335635972396aed2d5a84e47eef590c17521eca6db1f8507698fe880280f2e652bbcd6994ae3bd66e486fc6271e841e01075a4fb07aa6b6989e
-
\Users\Admin\AppData\Local\Temp\electrofishing.tmpFilesize
374KB
MD584e6e93a8f4b9fd5810052d501cde0ef
SHA11be390eeb1fc440f0ac7aae3f3a30406b735e8ae
SHA2569141d339ec21a8b8c71df0ffa8a205c9d8af4441e74f7548e6847c106c663b23
SHA5124925461622045335635972396aed2d5a84e47eef590c17521eca6db1f8507698fe880280f2e652bbcd6994ae3bd66e486fc6271e841e01075a4fb07aa6b6989e
-
memory/1120-92-0x0000000000000000-mapping.dmp
-
memory/1408-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1784-88-0x0000000000000000-mapping.dmp
-
memory/1796-93-0x0000000000000000-mapping.dmp
-
memory/1796-96-0x0000000000390000-0x0000000000399000-memory.dmpFilesize
36KB