Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2023 19:28
Static task
static1
Behavioral task
behavioral1
Sample
INV_December-20-29_73_scan.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INV_December-20-29_73_scan.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
INV_December-20-29_73_scan.iso
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
INV_December-20-29_73_scan.iso
Resource
win10v2004-20221111-en
General
-
Target
INV_December-20-29_73_scan.zip
-
Size
164KB
-
MD5
09e6c5c36e18d95fec639afb60525a81
-
SHA1
ae5cf031845b357a3234113a5262b4a6c44c89d8
-
SHA256
afa154d0749d64ab4e1063276d973f2b6f26352fc46e57d9e1382dd541bff862
-
SHA512
e7d4ff559964cb375a9a1b767452d544c01bb43dce41b9a17ac6b2fb1c70e0299a63ba1824b11f0c0939581e8e0e6a3d77c693cabd6c435c2d0548d0ef8791d6
-
SSDEEP
3072:1zpMkIkVULLjloD0tMqieNVveP3Sp+NgMOUivOmbnCtovRmOIRRJUmaw07i:pzzInDoPi4MLbn7gOiRemaw07i
Malware Config
Extracted
icedid
3181355365
whothitheka.com
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 97 2084 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2084 rundll32.exe 2084 rundll32.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\INV_December-20-29_73_scan.zip1⤵PID:2088
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3480
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" \armeta.dat,init1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2084
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2084-132-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB