Overview
overview
10Static
static
Scan_01-09.lnk
windows7-x64
10Scan_01-09.lnk
windows10-1703-x64
10Scan_01-09.lnk
windows10-2004-x64
10firvetourg...dc.cmd
windows7-x64
1firvetourg...dc.cmd
windows10-1703-x64
1firvetourg...dc.cmd
windows10-2004-x64
1firvetourg...ng.dll
windows7-x64
3firvetourg...ng.dll
windows10-1703-x64
3firvetourg...ng.dll
windows10-2004-x64
3Analysis
-
max time kernel
243s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2023 21:02
Static task
static1
Behavioral task
behavioral1
Sample
Scan_01-09.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scan_01-09.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
Scan_01-09.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral4
Sample
firvetourg/denmedmudc.cmd
Resource
win7-20220812-en
Behavioral task
behavioral5
Sample
firvetourg/denmedmudc.cmd
Resource
win10-20220812-en
Behavioral task
behavioral6
Sample
firvetourg/denmedmudc.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
firvetourg/reencountering.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
firvetourg/reencountering.dll
Resource
win10-20220901-en
Behavioral task
behavioral9
Sample
firvetourg/reencountering.dll
Resource
win10v2004-20221111-en
General
-
Target
Scan_01-09.lnk
-
Size
1KB
-
MD5
fc799beeda4a8430292247375bdf4b59
-
SHA1
3f1a817f3bd5a344fc3aae111f09349756f00d40
-
SHA256
a482fc4719106e36bca78b610acde1136bce64120fe1a5a843d65aa82aaa190e
-
SHA512
b1d1286cce4499e2c849ddfa6c6e8cfd08ec8cfe7d6d9fb1c11319623a3866f767c8d08d767f2594fb991592b66528c797a3b49bbb45add44284c7b296de7467
Malware Config
Extracted
icedid
3131022508
wagringamuk.com
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 5 3368 rundll32.exe 40 3368 rundll32.exe 43 3368 rundll32.exe 44 3368 rundll32.exe 45 3368 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3368 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3368 rundll32.exe 3368 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4880 wrote to memory of 5068 4880 cmd.exe cmd.exe PID 4880 wrote to memory of 5068 4880 cmd.exe cmd.exe PID 5068 wrote to memory of 2344 5068 cmd.exe xcopy.exe PID 5068 wrote to memory of 2344 5068 cmd.exe xcopy.exe PID 5068 wrote to memory of 3368 5068 cmd.exe rundll32.exe PID 5068 wrote to memory of 3368 5068 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Scan_01-09.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c firvetourg\denmedmudc.cmd A B C D E F G H I J K L M N O P C R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h firvetourg\reencountering.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\reencountering.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\reencountering.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
C:\Users\Admin\AppData\Local\Temp\reencountering.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
memory/2344-133-0x0000000000000000-mapping.dmp
-
memory/3368-134-0x0000000000000000-mapping.dmp
-
memory/3368-137-0x000002431C520000-0x000002431C529000-memory.dmpFilesize
36KB
-
memory/5068-132-0x0000000000000000-mapping.dmp