Overview
overview
10Static
static
Scan_01-09.lnk
windows7-x64
10Scan_01-09.lnk
windows10-1703-x64
10Scan_01-09.lnk
windows10-2004-x64
10firvetourg...dc.cmd
windows7-x64
1firvetourg...dc.cmd
windows10-1703-x64
1firvetourg...dc.cmd
windows10-2004-x64
1firvetourg...ng.dll
windows7-x64
3firvetourg...ng.dll
windows10-1703-x64
3firvetourg...ng.dll
windows10-2004-x64
3Analysis
-
max time kernel
247s -
max time network
250s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-01-2023 21:02
Static task
static1
Behavioral task
behavioral1
Sample
Scan_01-09.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan_01-09.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Scan_01-09.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral4
Sample
firvetourg/denmedmudc.cmd
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
firvetourg/denmedmudc.cmd
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
firvetourg/denmedmudc.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
firvetourg/reencountering.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
firvetourg/reencountering.dll
Resource
win10-20220901-en
Behavioral task
behavioral9
Sample
firvetourg/reencountering.dll
Resource
win10v2004-20221111-en
General
-
Target
Scan_01-09.lnk
-
Size
1KB
-
MD5
fc799beeda4a8430292247375bdf4b59
-
SHA1
3f1a817f3bd5a344fc3aae111f09349756f00d40
-
SHA256
a482fc4719106e36bca78b610acde1136bce64120fe1a5a843d65aa82aaa190e
-
SHA512
b1d1286cce4499e2c849ddfa6c6e8cfd08ec8cfe7d6d9fb1c11319623a3866f767c8d08d767f2594fb991592b66528c797a3b49bbb45add44284c7b296de7467
Malware Config
Extracted
icedid
3131022508
wagringamuk.com
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 2 756 rundll32.exe 4 756 rundll32.exe 5 756 rundll32.exe 6 756 rundll32.exe 7 756 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 756 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 756 rundll32.exe 756 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1376 wrote to memory of 320 1376 cmd.exe cmd.exe PID 1376 wrote to memory of 320 1376 cmd.exe cmd.exe PID 1376 wrote to memory of 320 1376 cmd.exe cmd.exe PID 320 wrote to memory of 1792 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1792 320 cmd.exe xcopy.exe PID 320 wrote to memory of 1792 320 cmd.exe xcopy.exe PID 320 wrote to memory of 756 320 cmd.exe rundll32.exe PID 320 wrote to memory of 756 320 cmd.exe rundll32.exe PID 320 wrote to memory of 756 320 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_01-09.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c firvetourg\denmedmudc.cmd A B C D E F G H I J K L M N O P C R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h firvetourg\reencountering.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\reencountering.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\reencountering.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
\Users\Admin\AppData\Local\Temp\reencountering.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
memory/320-89-0x0000000000000000-mapping.dmp
-
memory/756-94-0x0000000000000000-mapping.dmp
-
memory/756-97-0x0000000000410000-0x0000000000419000-memory.dmpFilesize
36KB
-
memory/1376-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmpFilesize
8KB
-
memory/1792-93-0x0000000000000000-mapping.dmp