Analysis
-
max time kernel
125s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2022, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
Resource
win10v2004-20221111-en
General
-
Target
65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
-
Size
2.7MB
-
MD5
2a52de53972a801102ebf18f68a152f5
-
SHA1
335d037805e52deb3b604cb0838c4f8bf6f67fec
-
SHA256
65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
-
SHA512
862e4d9eb09c59bd661dee3fe6914b1e7b88c1a99f353da6c3de310a9d1abf2c09d71ef12f375ce7e3a155909454d1d7ae7afedb1318746e443b188e71c67c8d
-
SSDEEP
24576:+wkH3QY3UZp/g+/GomPS0AuYOW+EzI7L/Cge89x0Jh23NFEi:+5AMUHsJAuYOWnzGi89mJh2dFEi
Malware Config
Extracted
icedid
2944922576
trbiriumpa.com
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 59 1808 rundll32.exe 62 1808 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1808 rundll32.exe 1808 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3872 7zG.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 1300 7zG.exe Token: 35 1300 7zG.exe Token: SeSecurityPrivilege 1300 7zG.exe Token: SeSecurityPrivilege 1300 7zG.exe Token: SeRestorePrivilege 3872 7zG.exe Token: 35 3872 7zG.exe Token: SeSecurityPrivilege 3872 7zG.exe Token: SeSecurityPrivilege 3872 7zG.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1300 7zG.exe 3872 7zG.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf1⤵PID:4800
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4176
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap11716:186:7zEvent223601⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1300
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap26389:186:7zEvent129421⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3872
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" \corBAA.dat,init1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1808