Analysis
-
max time kernel
126s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-12-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Dec12.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan_Dec12.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ragaxe/codXl.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
ragaxe/codXl.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
ragaxe/offscouring.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
ragaxe/offscouring.dll
Resource
win10v2004-20220812-en
General
-
Target
Scan_Dec12.lnk
-
Size
2KB
-
MD5
3bed3aba524f00e21b67ddf6f61eff94
-
SHA1
45bf85cb17992e2d7f572c29275a4e41a9815634
-
SHA256
432544da261f7fd918fe9db502679075b6efcb81467742c409c34b1ce1648dd6
-
SHA512
65b43ce4d63611607a69a2e9dc0ff815fc1c5a1dfd5dccf0cca463f6a33df23f309d3d91e9197688efd50d70b44fab4ca9b6183fed8ec536a9f10a8dca25cbfe
Malware Config
Extracted
icedid
814709416
ewgahskoot.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 1792 rundll32.exe 4 1792 rundll32.exe 5 1792 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1792 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1792 rundll32.exe 1792 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 888 1672 cmd.exe cmd.exe PID 1672 wrote to memory of 888 1672 cmd.exe cmd.exe PID 1672 wrote to memory of 888 1672 cmd.exe cmd.exe PID 888 wrote to memory of 320 888 cmd.exe xcopy.exe PID 888 wrote to memory of 320 888 cmd.exe xcopy.exe PID 888 wrote to memory of 320 888 cmd.exe xcopy.exe PID 888 wrote to memory of 1792 888 cmd.exe rundll32.exe PID 888 wrote to memory of 1792 888 cmd.exe rundll32.exe PID 888 wrote to memory of 1792 888 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_Dec12.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ragaxe\codXl.cmd YXCX2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragaxe\offscouring.bin C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\offscouring.bin,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\offscouring.binFilesize
823KB
MD5faa496bdd79e0ed4d4def753d2232bb8
SHA1195dcacfb7d9a25585667e8ebdb5cd9926ffe069
SHA2565c4061ed08f89eaa12f61842bc2bef83d29a2727a9dcff5d445d6b2fd120cae9
SHA5120d57b824d0ac13d27e644465734cccbae50d3280dd00ab525fd4a9a965cc783e7e638960ec3f69ef31de51504f67bd4b810d0efb84808afac90d5013779bee34
-
\Users\Admin\AppData\Local\Temp\offscouring.binFilesize
823KB
MD5faa496bdd79e0ed4d4def753d2232bb8
SHA1195dcacfb7d9a25585667e8ebdb5cd9926ffe069
SHA2565c4061ed08f89eaa12f61842bc2bef83d29a2727a9dcff5d445d6b2fd120cae9
SHA5120d57b824d0ac13d27e644465734cccbae50d3280dd00ab525fd4a9a965cc783e7e638960ec3f69ef31de51504f67bd4b810d0efb84808afac90d5013779bee34
-
memory/320-89-0x0000000000000000-mapping.dmp
-
memory/888-88-0x0000000000000000-mapping.dmp
-
memory/1672-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/1792-93-0x0000000000000000-mapping.dmp
-
memory/1792-96-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB