Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 19:26
Static task
static1
Behavioral task
behavioral1
Sample
NDAPersonalData/NDAZoomInfo11.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
NDAPersonalData/NDAZoomInfo11.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
NDAPersonalData/desktop.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
NDAPersonalData/desktop.dll
Resource
win10v2004-20220812-en
General
-
Target
NDAPersonalData/NDAZoomInfo11.lnk
-
Size
2KB
-
MD5
f1acdf0794d290dbd6ef4bdc77292a24
-
SHA1
248a8e6c8a2af76e49e7b8b1b5b759cecb0be4ee
-
SHA256
e0d6aa1f52db325526b489597e449a853a37585e57be01569059619199cb43de
-
SHA512
6fdf61b54b207f3b4a06b7e7dd45f60982b8db3c0d3e214d6828fa0ed1ad961d4fb5e820fe7a361e8026c9ba6507b8597c9b77f2bd7911c08328bfa2760ae4c5
Malware Config
Extracted
icedid
2546188793
anisiderblomm.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 5 4244 rundll32.exe 36 4244 rundll32.exe 58 4244 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4244 rundll32.exe 4244 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3920 wrote to memory of 4244 3920 cmd.exe rundll32.exe PID 3920 wrote to memory of 4244 3920 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NDAPersonalData\NDAZoomInfo11.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" desktop.ini,init2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses