Analysis
-
max time kernel
124s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 08:24
Static task
static1
Behavioral task
behavioral1
Sample
DECIDENT.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
DECIDENT.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
SPASTICS/QUINIBLE.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
SPASTICS/QUINIBLE.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
SPASTICS/STYRACIN.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
SPASTICS/STYRACIN.cmd
Resource
win10v2004-20221111-en
General
-
Target
DECIDENT.lnk
-
Size
1KB
-
MD5
0dcf849c45cbcbcc80f2faf974a2da70
-
SHA1
fb649af9030286b008898cbb0314f39689323a9e
-
SHA256
dc8d25b04313db41d710d03a22c60eb79eff2f2c8e36980fb8328de6f62e00af
-
SHA512
c93120e27e161e82e5fe7d8beee0e8eac9a1ee5eb9d54b49eb04a3f15bccf6c04542648efd2edbff4f83a4106563f24a1957486bd1206a1f571e717a5404d98a
Malware Config
Extracted
icedid
1691396905
plitspiritnox.com
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 916 rundll32.exe 916 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1636 wrote to memory of 1144 1636 cmd.exe cmd.exe PID 1636 wrote to memory of 1144 1636 cmd.exe cmd.exe PID 1636 wrote to memory of 1144 1636 cmd.exe cmd.exe PID 1144 wrote to memory of 916 1144 cmd.exe rundll32.exe PID 1144 wrote to memory of 916 1144 cmd.exe rundll32.exe PID 1144 wrote to memory of 916 1144 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DECIDENT.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "SPASTICS\STYRACIN.CMD reg" i Monoeidic X Sortieing2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 SPASTICS/QUINIBLE.DAT,init3⤵
- Suspicious behavior: EnumeratesProcesses