Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2023 02:43
Static task
static1
Behavioral task
behavioral1
Sample
icedid/INV.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
icedid/INV.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
icedid/napphipolD/chialaDeeA.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
icedid/napphipolD/chialaDeeA.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
icedid/napphipolD/limiting.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
icedid/napphipolD/limiting.dll
Resource
win10v2004-20220812-en
General
-
Target
icedid/INV.lnk
-
Size
1KB
-
MD5
a5bf79eb941c6b46c54f1c7eeed61e0b
-
SHA1
c3e4aaf8a1ead1b0e7839c23f39285ce6201a667
-
SHA256
7149d908813641a2262abf5d9904879f4336b66d0e62fae49dc79465a6058d14
-
SHA512
5754cec3462d503940593ca01408cef41624cf0186e28995a26bd49e735a0224c5285477c2fe22377b1a48b8b5eb338563a7396c75b39394a4732d2c39289985
Malware Config
Extracted
icedid
1387823457
allertmnemonkik.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 6 968 rundll32.exe 40 968 rundll32.exe 48 968 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 968 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 968 rundll32.exe 968 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2728 wrote to memory of 4992 2728 cmd.exe cmd.exe PID 2728 wrote to memory of 4992 2728 cmd.exe cmd.exe PID 4992 wrote to memory of 728 4992 cmd.exe xcopy.exe PID 4992 wrote to memory of 728 4992 cmd.exe xcopy.exe PID 4992 wrote to memory of 968 4992 cmd.exe rundll32.exe PID 4992 wrote to memory of 968 4992 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\icedid\INV.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c napphipolD\chialaDeeA.cmd A B C D E F G H I J K L M N O P s R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\xcopy.exexcopy /s /i /e /h napphipolD\limiting.dat C:\Users\Admin\AppData\Local\Temp\*3⤵PID:728
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\limiting.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\limiting.datFilesize
189KB
MD5c9f3dd6dddcd3beb7070d9f915219034
SHA1c3f080523dc1b8c444742f372b9d212743b8a503
SHA25665281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
SHA51241c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b
-
C:\Users\Admin\AppData\Local\Temp\limiting.datFilesize
189KB
MD5c9f3dd6dddcd3beb7070d9f915219034
SHA1c3f080523dc1b8c444742f372b9d212743b8a503
SHA25665281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
SHA51241c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b
-
memory/728-133-0x0000000000000000-mapping.dmp
-
memory/968-134-0x0000000000000000-mapping.dmp
-
memory/968-137-0x00000171E39F0000-0x00000171E39F9000-memory.dmpFilesize
36KB
-
memory/4992-132-0x0000000000000000-mapping.dmp