Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-01-2023 17:10
Static task
static1
Behavioral task
behavioral1
Sample
REF.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
REF.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
rugcoyalls/mischannelling.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
rugcoyalls/mischannelling.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
rugcoyalls/pangapsexN.cmd
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
rugcoyalls/pangapsexN.cmd
Resource
win10v2004-20220812-en
General
-
Target
REF.lnk
-
Size
1KB
-
MD5
86e6dafd4c33160834b62194ba32c5c3
-
SHA1
b56f9d0bd9c05705bc3dc4f5bde87c6275eb5019
-
SHA256
c06e1d8841faecf02f85d62a4311cab2a5f949cff1f5f30e228eeaf9ef593960
-
SHA512
23ba8b5c2f60f17eccdcf1d9f2f36a7001fd14888fbd69f8e1579c6733004c9320c6a0b9de4bc064a16da48a02bcfabf15f931c8d8b8c00d98eaaa1b58cdd6e6
Malware Config
Extracted
icedid
1421378695
ebothlips.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 2 524 rundll32.exe 4 524 rundll32.exe 5 524 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 524 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 524 rundll32.exe 524 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1552 wrote to memory of 1716 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 1716 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 1716 1552 cmd.exe cmd.exe PID 1716 wrote to memory of 1004 1716 cmd.exe xcopy.exe PID 1716 wrote to memory of 1004 1716 cmd.exe xcopy.exe PID 1716 wrote to memory of 1004 1716 cmd.exe xcopy.exe PID 1716 wrote to memory of 524 1716 cmd.exe rundll32.exe PID 1716 wrote to memory of 524 1716 cmd.exe rundll32.exe PID 1716 wrote to memory of 524 1716 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\REF.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rugcoyalls\pangapsexN.cmd A B C D E F G H I J K L M N O P l R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h rugcoyalls\mischannelling.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\mischannelling.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mischannelling.datFilesize
544KB
MD593787c6a5ba46605c0916be28ef52bf1
SHA1c786205da7660fa7f76a41ed26b8d1c6aff95044
SHA2562a07b1741dbf216a188938d0fec870f8395374f760c6bf452f0a0479e975b018
SHA512ade7b59752508a0abffd296a4abb780238b4ad39bfcb0333ba365b43ad9886929e97f0d64ce2c8fcd6cfb32572d0342f018cd88f6e55ea0822096eeedf5b8e4c
-
\Users\Admin\AppData\Local\Temp\mischannelling.datFilesize
544KB
MD593787c6a5ba46605c0916be28ef52bf1
SHA1c786205da7660fa7f76a41ed26b8d1c6aff95044
SHA2562a07b1741dbf216a188938d0fec870f8395374f760c6bf452f0a0479e975b018
SHA512ade7b59752508a0abffd296a4abb780238b4ad39bfcb0333ba365b43ad9886929e97f0d64ce2c8fcd6cfb32572d0342f018cd88f6e55ea0822096eeedf5b8e4c
-
memory/524-94-0x0000000000000000-mapping.dmp
-
memory/524-97-0x00000000001A0000-0x00000000001A9000-memory.dmpFilesize
36KB
-
memory/1004-93-0x0000000000000000-mapping.dmp
-
memory/1552-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/1716-89-0x0000000000000000-mapping.dmp