Analysis
-
max time kernel
315s -
max time network
319s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21-12-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
$RTKOW1B.zip
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
$RTKOW1B.zip
Resource
win10v2004-20221111-en
General
-
Target
$RTKOW1B.zip
-
Size
827KB
-
MD5
bd1619082ee07b21fa40d532ef9cb8e4
-
SHA1
443713056deb34363bed0e165099412d23d4269d
-
SHA256
aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
-
SHA512
a19aa3cc69af6e83722bc79d5baa72336ed1bbb1c8297e2b4b068a95f31e51f1d5dde67e6cceebf0d0b4265866a0bd918db6f0f3b024f07383ac13721a6bd207
-
SSDEEP
24576:KoqpFTwvyQNR53uFPnTsuLJR6LJsDzpDO4lc0:KppFANnu9QmJR6LYK4lc0
Malware Config
Extracted
icedid
3114391984
estrabornhot.com
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 4 876 rundll32.exe 5 876 rundll32.exe 6 876 rundll32.exe 7 984 rundll32.exe 8 876 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 876 rundll32.exe 984 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exerundll32.exepid process 876 rundll32.exe 876 rundll32.exe 984 rundll32.exe 984 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AUDIODG.EXE7zG.exedescription pid process Token: 33 1960 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1960 AUDIODG.EXE Token: 33 1960 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1960 AUDIODG.EXE Token: SeRestorePrivilege 596 7zG.exe Token: 35 596 7zG.exe Token: SeSecurityPrivilege 596 7zG.exe Token: SeSecurityPrivilege 596 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 596 7zG.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.execmd.exedescription pid process target process PID 1104 wrote to memory of 1544 1104 cmd.exe xcopy.exe PID 1104 wrote to memory of 1544 1104 cmd.exe xcopy.exe PID 1104 wrote to memory of 1544 1104 cmd.exe xcopy.exe PID 1104 wrote to memory of 876 1104 cmd.exe rundll32.exe PID 1104 wrote to memory of 876 1104 cmd.exe rundll32.exe PID 1104 wrote to memory of 876 1104 cmd.exe rundll32.exe PID 2040 wrote to memory of 1592 2040 cmd.exe xcopy.exe PID 2040 wrote to memory of 1592 2040 cmd.exe xcopy.exe PID 2040 wrote to memory of 1592 2040 cmd.exe xcopy.exe PID 1688 wrote to memory of 984 1688 cmd.exe rundll32.exe PID 1688 wrote to memory of 984 1688 cmd.exe rundll32.exe PID 1688 wrote to memory of 984 1688 cmd.exe rundll32.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x57c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"1⤵
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap20643:136:7zEvent203191⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp1⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp init2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 71⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmpFilesize
1.6MB
MD51795382b21fad93fe3fe3d75ef40a67d
SHA17a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA25697593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f
-
C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmpFilesize
1.6MB
MD51795382b21fad93fe3fe3d75ef40a67d
SHA17a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA25697593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f
-
C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmdFilesize
1KB
MD59f19dd31900efd76299b3664eda0cd3a
SHA1028b44165c9995cae1035e06bb2d15027add44f8
SHA25643de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f
SHA5129e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f
-
\Users\Admin\AppData\Local\Temp\overcontrolling.tmpFilesize
1.6MB
MD51795382b21fad93fe3fe3d75ef40a67d
SHA17a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA25697593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f
-
\Users\Admin\AppData\Local\Temp\overcontrolling.tmpFilesize
1.6MB
MD51795382b21fad93fe3fe3d75ef40a67d
SHA17a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA25697593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f
-
memory/876-61-0x0000000000000000-mapping.dmp
-
memory/876-64-0x0000000000390000-0x0000000000399000-memory.dmpFilesize
36KB
-
memory/960-54-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/984-72-0x0000000000000000-mapping.dmp
-
memory/1544-59-0x0000000000000000-mapping.dmp
-
memory/1592-70-0x0000000000000000-mapping.dmp