Analysis
-
max time kernel
243s -
max time network
247s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-01-2023 12:28
Static task
static1
Behavioral task
behavioral1
Sample
Inv_246_Jan-01_Copy.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Inv_246_Jan-01_Copy.zip
Resource
win10v2004-20221111-en
General
-
Target
Inv_246_Jan-01_Copy.zip
-
Size
338KB
-
MD5
476898988e061573ae520e22513b8ce6
-
SHA1
0509467c8301dbb173ed2b68433e3bfa918cc75e
-
SHA256
e0d40aaf4e09fa69aaf6ee0858b18a6d9f036737914dd42061d8a10e2595929d
-
SHA512
40a202c8cf276cc9baf0ae5af3d5869849d31ce798592344770e7a8ad65c9260b08d2dae88be8765c24023e363af9a31137f61349aefa12ee27c939f68e4b793
-
SSDEEP
6144:f9mKHBHklhbsbNEMepLNgrl803tGv+k0fP/QjvfqtEjOlWMlW:L1KtK6LNylVtbP/QIIxMlW
Malware Config
Extracted
icedid
3131022508
wagringamuk.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 4 1744 rundll32.exe 5 1744 rundll32.exe 6 1744 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1744 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1744 rundll32.exe 1744 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AUDIODG.EXE7zG.exedescription pid process Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: SeRestorePrivilege 1648 7zG.exe Token: 35 1648 7zG.exe Token: SeSecurityPrivilege 1648 7zG.exe Token: SeSecurityPrivilege 1648 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1648 7zG.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2008 wrote to memory of 316 2008 cmd.exe xcopy.exe PID 2008 wrote to memory of 316 2008 cmd.exe xcopy.exe PID 2008 wrote to memory of 316 2008 cmd.exe xcopy.exe PID 2008 wrote to memory of 1744 2008 cmd.exe rundll32.exe PID 2008 wrote to memory of 1744 2008 cmd.exe rundll32.exe PID 2008 wrote to memory of 1744 2008 cmd.exe rundll32.exe PID 976 wrote to memory of 1624 976 cmd.exe xcopy.exe PID 976 wrote to memory of 1624 976 cmd.exe xcopy.exe PID 976 wrote to memory of 1624 976 cmd.exe xcopy.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Inv_246_Jan-01_Copy.zip1⤵PID:1088
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:384
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy.iso"1⤵PID:1488
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\" -spe -an -ai#7zMap12136:96:7zEvent45921⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1648
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c endgasmagg\gaganylita.cmd A B C D E F G H I J K L M N O P s R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\xcopy.exexcopy /s /i /e /h endgasmagg\housebreaking.dat C:\Users\Admin\AppData\Local\Temp\*2⤵PID:316
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\housebreaking.dat,init2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\endgasmagg\gaganylita.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\xcopy.exexcopy /s /i /e /h endgasmagg\housebreaking.dat C:\Users\Admin\AppData\Local\Temp\*2⤵PID:1624
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\housebreaking.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\endgasmagg\gaganylita.cmdFilesize
1KB
MD5f4ea115a31045d06a7c108c27db77563
SHA130737067b1496192c4e78f992245d2ff40002ad0
SHA256785cf3ad80b7bec87cd9666ef2bd0ea384ac83e7208241616e57f93c5bde5531
SHA5121debd75fbdfa81a0aada1e7b114451a4f5cc617a18b59e378f07bbebd78908107efa6ff86090089e5963ed91c6a017e89fc2310838b7b7edbf0bc20f5ef13f81
-
C:\Users\Admin\Desktop\Inv_246_Jan-01_Copy\endgasmagg\housebreaking.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
\Users\Admin\AppData\Local\Temp\housebreaking.datFilesize
788KB
MD515dd0873cb6bef0c8e89a0319a202c3a
SHA16b49af73134d502d35d81cb978075761dc3b71fa
SHA256180bc8d0f85146d6d16fa8079e38ca5e84756f1e201fc7259464addbaee15ff2
SHA5123b1e4b176835eeae62e5ed4ac65b97e26b4471fba4aa0514c969fac8184fdcecaa82e7c9d286d9bec909bf72cce0c6cce6bfa6ec1a2adadb463a0584d6b8d200
-
memory/316-58-0x0000000000000000-mapping.dmp
-
memory/384-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1624-69-0x0000000000000000-mapping.dmp
-
memory/1744-60-0x0000000000000000-mapping.dmp
-
memory/1744-63-0x0000000000110000-0x0000000000119000-memory.dmpFilesize
36KB