Analysis Overview
SHA256
aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
Threat Level: Known bad
The file $RTKOW1B.zip was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-21 00:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-21 00:17
Reported
2022-12-21 00:23
Platform
win7-20221111-en
Max time kernel
315s
Max time network
319s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"
C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap20643:136:7zEvent20319
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "
C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp init
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | estrabornhot.com | udp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
| N/A | 143.198.92.88:80 | estrabornhot.com | tcp |
Files
memory/960-54-0x000007FEFB531000-0x000007FEFB533000-memory.dmp
C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd
| MD5 | 9f19dd31900efd76299b3664eda0cd3a |
| SHA1 | 028b44165c9995cae1035e06bb2d15027add44f8 |
| SHA256 | 43de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f |
| SHA512 | 9e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f |
memory/1544-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
memory/876-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
memory/876-64-0x0000000000390000-0x0000000000399000-memory.dmp
memory/1592-70-0x0000000000000000-mapping.dmp
memory/984-72-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\overcontrolling.tmp
| MD5 | 1795382b21fad93fe3fe3d75ef40a67d |
| SHA1 | 7a6fa8a71a68e3226b6cad24cd3eff4767111e58 |
| SHA256 | 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b |
| SHA512 | 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f |
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-21 00:17
Reported
2022-12-21 00:20
Platform
win10v2004-20221111-en
Max time kernel
61s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp |