Analysis
-
max time kernel
123s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2023 02:35
Static task
static1
Behavioral task
behavioral1
Sample
NDAPersonalData/f1acdf0794d290dbd6ef4bdc77292a24.Lnk.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
NDAPersonalData/f1acdf0794d290dbd6ef4bdc77292a24.Lnk.lnk
Resource
win10v2004-20221111-en
General
-
Target
NDAPersonalData/f1acdf0794d290dbd6ef4bdc77292a24.Lnk.lnk
-
Size
2KB
-
MD5
f1acdf0794d290dbd6ef4bdc77292a24
-
SHA1
248a8e6c8a2af76e49e7b8b1b5b759cecb0be4ee
-
SHA256
e0d6aa1f52db325526b489597e449a853a37585e57be01569059619199cb43de
-
SHA512
6fdf61b54b207f3b4a06b7e7dd45f60982b8db3c0d3e214d6828fa0ed1ad961d4fb5e820fe7a361e8026c9ba6507b8597c9b77f2bd7911c08328bfa2760ae4c5
Malware Config
Extracted
icedid
2546188793
anisiderblomm.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 5 4616 rundll32.exe 38 4616 rundll32.exe 41 4616 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4616 rundll32.exe 4616 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1480 wrote to memory of 4616 1480 cmd.exe rundll32.exe PID 1480 wrote to memory of 4616 1480 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NDAPersonalData\f1acdf0794d290dbd6ef4bdc77292a24.Lnk.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" desktop.ini,init2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses