Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2022 09:07
Static task
static1
Behavioral task
behavioral1
Sample
iced2/Irs.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
iced2/Irs.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
iced2/secgymoddkid/electrofishing.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
iced2/secgymoddkid/electrofishing.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
iced2/secgymoddkid/sewala.cmd
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
iced2/secgymoddkid/sewala.cmd
Resource
win10v2004-20221111-en
General
-
Target
iced2/Irs.lnk
-
Size
2KB
-
MD5
ed82b09fbd31c19a4a0aa50659dfa954
-
SHA1
e331feabbc2305bec1c1c9dfa021087ea3b4d5c1
-
SHA256
f79d35810f6088c5bce23c8273ab17116ba575e676bef707185724a10984affb
-
SHA512
50fc4e0f2d0980ffd494414ae827e793a17fcc4d2116bbf95ff6445573a5124c79e07ebbf7af8d0003343e62ba20b7f81d0aedc5f18f0cff2ef30542718148b0
Malware Config
Extracted
icedid
1268412609
ewgahskoot.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 7 4168 rundll32.exe 44 4168 rundll32.exe 47 4168 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4168 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4168 rundll32.exe 4168 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4992 wrote to memory of 3516 4992 cmd.exe cmd.exe PID 4992 wrote to memory of 3516 4992 cmd.exe cmd.exe PID 3516 wrote to memory of 4928 3516 cmd.exe xcopy.exe PID 3516 wrote to memory of 4928 3516 cmd.exe xcopy.exe PID 3516 wrote to memory of 4168 3516 cmd.exe rundll32.exe PID 3516 wrote to memory of 4168 3516 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iced2\Irs.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c secgymoddkid\sewala.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h secgymoddkid\electrofishing.tmp C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\electrofishing.tmp,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\electrofishing.tmpFilesize
374KB
MD584e6e93a8f4b9fd5810052d501cde0ef
SHA11be390eeb1fc440f0ac7aae3f3a30406b735e8ae
SHA2569141d339ec21a8b8c71df0ffa8a205c9d8af4441e74f7548e6847c106c663b23
SHA5124925461622045335635972396aed2d5a84e47eef590c17521eca6db1f8507698fe880280f2e652bbcd6994ae3bd66e486fc6271e841e01075a4fb07aa6b6989e
-
C:\Users\Admin\AppData\Local\Temp\electrofishing.tmpFilesize
374KB
MD584e6e93a8f4b9fd5810052d501cde0ef
SHA11be390eeb1fc440f0ac7aae3f3a30406b735e8ae
SHA2569141d339ec21a8b8c71df0ffa8a205c9d8af4441e74f7548e6847c106c663b23
SHA5124925461622045335635972396aed2d5a84e47eef590c17521eca6db1f8507698fe880280f2e652bbcd6994ae3bd66e486fc6271e841e01075a4fb07aa6b6989e
-
memory/3516-132-0x0000000000000000-mapping.dmp
-
memory/4168-134-0x0000000000000000-mapping.dmp
-
memory/4168-137-0x000001A605820000-0x000001A605829000-memory.dmpFilesize
36KB
-
memory/4928-133-0x0000000000000000-mapping.dmp