Analysis
-
max time kernel
65s -
max time network
76s -
platform
windows11_x64 -
resource
win11 -
submitted
25-11-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
sentence_x64.dat.dll
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
sentence_x64.dat.dll
Resource
win11
Behavioral task
behavioral3
Sample
sentence_x64.dat.dll
Resource
win10-en-20211014
General
-
Target
sentence_x64.dat.dll
-
Size
83KB
-
MD5
10d53f2baf0cc1321090e01201be84ab
-
SHA1
153931308c62f6104d7c55c5690ed952833af6ac
-
SHA256
e9d773366bcb19d4f69a9996c8eab48bdf7fb51097cf1613d8705b9c25dfe263
-
SHA512
435451c84aba99d9b80c304a37e00eadc7bc11c583bc10c6c45e18a37fc223815218b8877cac1db079983b7ce696a03f487bd501bc7e32815e02335995616e00
Malware Config
Extracted
icedid
1217670233
parkerrsberg.site
2sekillo.pw
subdibermarine.pw
zoplasure.top
-
auth_var
2
-
url_path
/posts/
Signatures
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 9 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File created C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\cbshandler\state svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1012 svchost.exe Token: SeCreatePagefilePrivilege 1012 svchost.exe Token: SeShutdownPrivilege 1012 svchost.exe Token: SeCreatePagefilePrivilege 1012 svchost.exe Token: SeShutdownPrivilege 1012 svchost.exe Token: SeCreatePagefilePrivilege 1012 svchost.exe Token: SeShutdownPrivilege 1848 svchost.exe Token: SeCreatePagefilePrivilege 1848 svchost.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe Token: SeSecurityPrivilege 2852 TiWorker.exe Token: SeBackupPrivilege 2852 TiWorker.exe Token: SeRestorePrivilege 2852 TiWorker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
svchost.exedescription pid process target process PID 1848 wrote to memory of 2472 1848 svchost.exe MoUsoCoreWorker.exe PID 1848 wrote to memory of 2472 1848 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\sentence_x64.dat.dll,#11⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7b0442dc0a1fd4a119cc2bc641f4a16d AQL+qpu+CUG+hzZYwG6VUA.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7b0442dc0a1fd4a119cc2bc641f4a16d AQL+qpu+CUG+hzZYwG6VUA.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7b0442dc0a1fd4a119cc2bc641f4a16d AQL+qpu+CUG+hzZYwG6VUA.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1012-147-0x0000022F81120000-0x0000022F81130000-memory.dmpFilesize
64KB
-
memory/1012-148-0x0000022F811A0000-0x0000022F811B0000-memory.dmpFilesize
64KB
-
memory/1012-149-0x0000022F83890000-0x0000022F83894000-memory.dmpFilesize
16KB
-
memory/1300-146-0x000001C82AFD0000-0x000001C82B007000-memory.dmpFilesize
220KB
-
memory/2472-150-0x0000000000000000-mapping.dmp