Analysis
-
max time kernel
122s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2023 04:49
Static task
static1
Behavioral task
behavioral1
Sample
request_01-10_INV-165/CopyFolder_01-10.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
request_01-10_INV-165/CopyFolder_01-10.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
request_01-10_INV-165/potyourueZ/disintoxicating.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
request_01-10_INV-165/potyourueZ/disintoxicating.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
request_01-10_INV-165/potyourueZ/oilgotyeph.cmd
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
request_01-10_INV-165/potyourueZ/oilgotyeph.cmd
Resource
win10v2004-20220812-en
General
-
Target
request_01-10_INV-165/CopyFolder_01-10.lnk
-
Size
1KB
-
MD5
5e64311f25ab2e189959f4d722fa628a
-
SHA1
d3b99bae9540023c808b4491f5bbac220dcc49d1
-
SHA256
fd5bc33b7fb4dffadbeb24bb33d03e26fa6bce46a326a096fe555afc6fa60b53
-
SHA512
c08c348314dd624ee91ce471b0c232f0b340e508d6167720d0cef95aba24962347efc25c82b1c6f044ddb2f0ea0edd4709166325bed21224b3a1f3dd3f1f074d
Malware Config
Extracted
icedid
1421378695
ebothlips.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 5 4920 rundll32.exe 60 4920 rundll32.exe 103 4920 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4920 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4920 rundll32.exe 4920 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4876 wrote to memory of 4964 4876 cmd.exe cmd.exe PID 4876 wrote to memory of 4964 4876 cmd.exe cmd.exe PID 4964 wrote to memory of 4944 4964 cmd.exe xcopy.exe PID 4964 wrote to memory of 4944 4964 cmd.exe xcopy.exe PID 4964 wrote to memory of 4920 4964 cmd.exe rundll32.exe PID 4964 wrote to memory of 4920 4964 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\request_01-10_INV-165\CopyFolder_01-10.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c potyourueZ\oilgotyeph.cmd A B C D E F G H I J K L M N O P a R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h potyourueZ\disintoxicating.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\disintoxicating.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\disintoxicating.datFilesize
544KB
MD593787c6a5ba46605c0916be28ef52bf1
SHA1c786205da7660fa7f76a41ed26b8d1c6aff95044
SHA2562a07b1741dbf216a188938d0fec870f8395374f760c6bf452f0a0479e975b018
SHA512ade7b59752508a0abffd296a4abb780238b4ad39bfcb0333ba365b43ad9886929e97f0d64ce2c8fcd6cfb32572d0342f018cd88f6e55ea0822096eeedf5b8e4c
-
C:\Users\Admin\AppData\Local\Temp\disintoxicating.datFilesize
544KB
MD593787c6a5ba46605c0916be28ef52bf1
SHA1c786205da7660fa7f76a41ed26b8d1c6aff95044
SHA2562a07b1741dbf216a188938d0fec870f8395374f760c6bf452f0a0479e975b018
SHA512ade7b59752508a0abffd296a4abb780238b4ad39bfcb0333ba365b43ad9886929e97f0d64ce2c8fcd6cfb32572d0342f018cd88f6e55ea0822096eeedf5b8e4c
-
memory/4920-134-0x0000000000000000-mapping.dmp
-
memory/4920-137-0x00000239E2630000-0x00000239E2639000-memory.dmpFilesize
36KB
-
memory/4944-133-0x0000000000000000-mapping.dmp
-
memory/4964-132-0x0000000000000000-mapping.dmp