Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-01-2023 05:13
Static task
static1
Behavioral task
behavioral1
Sample
Inv_162_Jan-01_Copy/REF_Scan_01-09.lnk
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Inv_162_Jan-01_Copy/REF_Scan_01-09.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
Inv_162_Jan-01_Copy/eveeftwedK/blessing.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Inv_162_Jan-01_Copy/eveeftwedK/blessing.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
Inv_162_Jan-01_Copy/eveeftwedK/oakhidtino.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
Inv_162_Jan-01_Copy/eveeftwedK/oakhidtino.cmd
Resource
win10v2004-20220901-en
General
-
Target
Inv_162_Jan-01_Copy/REF_Scan_01-09.lnk
-
Size
1KB
-
MD5
9236173d81765d9eecaffa7bea277241
-
SHA1
3c6435f4b46131e1eeb45ba87519a42c9b03c103
-
SHA256
15670b5b4cda3123d0a2f832bf393fbf16d7fa4635558de28220d56c42032b90
-
SHA512
ea010056be19fc5a3265b3303894b3c9753ed185c1bb7119016e0d8a18d5e9024e68eb48d83a13baa596c0a6646ad96bbf5ae14ad1ca352e39d5a31fec663365
Malware Config
Extracted
icedid
3131022508
wagringamuk.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 884 rundll32.exe 4 884 rundll32.exe 5 884 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 884 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 884 rundll32.exe 884 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 1532 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 1532 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 1532 2024 cmd.exe cmd.exe PID 1532 wrote to memory of 836 1532 cmd.exe xcopy.exe PID 1532 wrote to memory of 836 1532 cmd.exe xcopy.exe PID 1532 wrote to memory of 836 1532 cmd.exe xcopy.exe PID 1532 wrote to memory of 884 1532 cmd.exe rundll32.exe PID 1532 wrote to memory of 884 1532 cmd.exe rundll32.exe PID 1532 wrote to memory of 884 1532 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Inv_162_Jan-01_Copy\REF_Scan_01-09.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c eveeftwedK\oakhidtino.cmd A B C D E F G H I J K L M N O P t R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h eveeftwedK\blessing.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\blessing.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\blessing.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
\Users\Admin\AppData\Local\Temp\blessing.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
memory/836-93-0x0000000000000000-mapping.dmp
-
memory/884-94-0x0000000000000000-mapping.dmp
-
memory/884-97-0x0000000000290000-0x0000000000299000-memory.dmpFilesize
36KB
-
memory/1532-89-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB