icedid | aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40

General

Target

$RTKOW1B.zip
Size

827KB
MD5

bd1619082ee07b21fa40d532ef9cb8e4
SHA1

443713056deb34363bed0e165099412d23d4269d
SHA256

aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
SHA512

a19aa3cc69af6e83722bc79d5baa72336ed1bbb1c8297e2b4b068a95f31e51f1d5dde67e6cceebf0d0b4265866a0bd918db6f0f3b024f07383ac13721a6bd207
SSDEEP

24576:KoqpFTwvyQNR53uFPnTsuLJR6LJsDzpDO4lc0:KppFANnu9QmJR6LYK4lc0

Score

10^/10

icedid 3114391984 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

3114391984

C2

estrabornhot.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 25 IoCs

Processes:

rundll32.exe

flow	pid	process
54	4772	rundll32.exe
59	4772	rundll32.exe
60	4772	rundll32.exe
61	4772	rundll32.exe
62	4772	rundll32.exe
64	4772	rundll32.exe
65	4772	rundll32.exe
66	4772	rundll32.exe
67	4772	rundll32.exe
68	4772	rundll32.exe
70	4772	rundll32.exe
71	4772	rundll32.exe
72	4772	rundll32.exe
74	4772	rundll32.exe
75	4772	rundll32.exe
77	4772	rundll32.exe
78	4772	rundll32.exe
79	4772	rundll32.exe
80	4772	rundll32.exe
81	4772	rundll32.exe
88	4772	rundll32.exe
102	4772	rundll32.exe
114	4772	rundll32.exe
115	4772	rundll32.exe
133	4772	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4772 rundll32.exe

pid	process
4772	rundll32.exe

Drops file in System32 directory 4 IoCs

Processes:

SystemSettingsAdminFlows.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	SystemSettingsAdminFlows.exe
File created	C:\Windows\System32\GroupPolicy\User\Registry.pol	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	SystemSettingsAdminFlows.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4632 3512 WerFault.exe

pid	pid_target	process	target process
4632	3512	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 41 IoCs

Processes:

SearchApp.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3116"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3116"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3746"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1034"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9808"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11629"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1067"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9130"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1067"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1067"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11629"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8248"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "9940"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9130"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9808"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9808"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8248"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1034"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9940"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "9940"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "11629"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "9130"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "3746"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1034"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3116"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3746"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8248"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4772 rundll32.exe
4772 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2384 OpenWith.exe

pid	process
4772	rundll32.exe
4772	rundll32.exe

pid	process
2384	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	5080	7zG.exe
Token: 35	5080	7zG.exe
Token: SeSecurityPrivilege	5080	7zG.exe
Token: SeSecurityPrivilege	5080	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

5080 7zG.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeSearchApp.exeSystemSettingsAdminFlows.exe

pid process

2384 OpenWith.exe
1836 SearchApp.exe
3004 SystemSettingsAdminFlows.exe

pid	process
5080	7zG.exe

pid	process
2384	OpenWith.exe
1836	SearchApp.exe
3004	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5068 wrote to memory of 2976	5068	cmd.exe	xcopy.exe
PID 5068 wrote to memory of 2976	5068	cmd.exe	xcopy.exe
PID 5068 wrote to memory of 4772	5068	cmd.exe	rundll32.exe
PID 5068 wrote to memory of 4772	5068	cmd.exe	rundll32.exe
PID 3868 wrote to memory of 3368	3868	cmd.exe	xcopy.exe
PID 3868 wrote to memory of 3368	3868	cmd.exe	xcopy.exe
PID 4656 wrote to memory of 4680	4656	cmd.exe	xcopy.exe
PID 4656 wrote to memory of 4680	4656	cmd.exe	xcopy.exe
PID 5000 wrote to memory of 4424	5000	cmd.exe	xcopy.exe
PID 5000 wrote to memory of 4424	5000	cmd.exe	xcopy.exe
PID 812 wrote to memory of 3404	812	cmd.exe	xcopy.exe
PID 812 wrote to memory of 3404	812	cmd.exe	xcopy.exe
PID 2508 wrote to memory of 3876	2508	cmd.exe	xcopy.exe
PID 2508 wrote to memory of 3876	2508	cmd.exe	xcopy.exe
PID 2584 wrote to memory of 3528	2584	cmd.exe	xcopy.exe
PID 2584 wrote to memory of 3528	2584	cmd.exe	xcopy.exe
PID 1872 wrote to memory of 3364	1872	cmd.exe	xcopy.exe
PID 1872 wrote to memory of 3364	1872	cmd.exe	xcopy.exe
PID 4768 wrote to memory of 4472	4768	cmd.exe	xcopy.exe
PID 4768 wrote to memory of 4472	4768	cmd.exe	xcopy.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip
1⤵
PID:2760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap7296:114:7zEvent11495
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:2976

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:3368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:4680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:4424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:3876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:3528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:3364

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
1⤵
PID:4296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:4472

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
1⤵
PID:4240

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:960

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 3512 -ip 3512
1⤵
PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3512 -s 5760
1⤵
- Program crash
PID:4632

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock
1⤵
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetRunAsUserRegKeyFlow
1⤵
- Drops file in System32 directory
PID:2704

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp
Filesize
1.6MB

MD5
1795382b21fad93fe3fe3d75ef40a67d

SHA1
7a6fa8a71a68e3226b6cad24cd3eff4767111e58

SHA256
97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

SHA512
189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Download Submit
C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
Filesize
1KB

MD5
9f19dd31900efd76299b3664eda0cd3a

SHA1
028b44165c9995cae1035e06bb2d15027add44f8

SHA256
43de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f

SHA512
9e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f

Download Submit
C:\Users\Admin\Desktop\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
Filesize
1KB

MD5
cc31d1d48706f236026b5b7f8ca0d87b

SHA1
5b6a8356ca69d4db720d2753ab4b999a0151297d

SHA256
da0ba8858c67f270b2c660fc882253fff8962261aff9cfee46425740ba48e554

SHA512
133228a495440dc66ca885e4f75e9f07b5d5f61c400af9f9d344c9779fbd3b0c9857819307d6531f60e1aae0a18084c6bfe0e158ad1379d4fac7906cd2ed7c4c

Download Submit
memory/1836-175-0x000002308300F000-0x0000023083013000-memory.dmp

Filesize
16KB

Download
memory/1836-176-0x000002308300F000-0x0000023083013000-memory.dmp

Filesize
16KB

Download
memory/1836-182-0x000002308302F000-0x0000023083032000-memory.dmp

Filesize
12KB

Download
memory/1836-183-0x000002308302F000-0x0000023083032000-memory.dmp

Filesize
12KB

Download
memory/1836-181-0x000002308302F000-0x0000023083032000-memory.dmp

Filesize
12KB

Download
memory/1836-179-0x00000230936E0000-0x00000230936E8000-memory.dmp

Filesize
32KB

Download
memory/1836-178-0x0000023081370000-0x0000023081470000-memory.dmp

Filesize
1024KB

Download
memory/1836-170-0x000002308300A000-0x000002308300D000-memory.dmp

Filesize
12KB

Download
memory/1836-174-0x000002308300F000-0x0000023083013000-memory.dmp

Filesize
16KB

Download
memory/1836-172-0x000002308300F000-0x0000023083013000-memory.dmp

Filesize
16KB

Download
memory/1836-173-0x000002308300F000-0x0000023083013000-memory.dmp

Filesize
16KB

Download
memory/1836-161-0x00000230815C0000-0x00000230815E0000-memory.dmp

Filesize
128KB

Download
memory/1836-162-0x0000023080AB0000-0x0000023080AD0000-memory.dmp

Filesize
128KB

Download
memory/1836-167-0x000002308300A000-0x000002308300D000-memory.dmp

Filesize
12KB

Download
memory/1836-168-0x000002308300A000-0x000002308300D000-memory.dmp

Filesize
12KB

Download
memory/1836-169-0x000002308300A000-0x000002308300D000-memory.dmp

Filesize
12KB

Download
memory/2976-133-0x0000000000000000-mapping.dmp

Download
memory/3364-150-0x0000000000000000-mapping.dmp

Download
memory/3368-144-0x0000000000000000-mapping.dmp

Download
memory/3404-147-0x0000000000000000-mapping.dmp

Download
memory/3528-149-0x0000000000000000-mapping.dmp

Download
memory/3876-148-0x0000000000000000-mapping.dmp

Download
memory/4424-146-0x0000000000000000-mapping.dmp

Download
memory/4472-152-0x0000000000000000-mapping.dmp

Download
memory/4680-145-0x0000000000000000-mapping.dmp

Download
memory/4772-135-0x0000000000000000-mapping.dmp

Download
memory/4772-138-0x000002AE96BD0000-0x000002AE96BD9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads