Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2023 17:38
Static task
static1
Behavioral task
behavioral1
Sample
Document_85_Copy_01-12.zip
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Document_85_Copy_01-12.zip
Resource
win10v2004-20221111-en
General
-
Target
Document_85_Copy_01-12.zip
-
Size
108KB
-
MD5
9be51ec0cc1d11ec3954a2334059300e
-
SHA1
5b6c04e35e2b0b3c3129a05519790cdb7a60a67f
-
SHA256
08f1fcad30ccf7fa1cfc59033a91d984a3dbeda5d581b0b24a196b80512c551d
-
SHA512
0d2dd88d144b194e7a75b8410c329cbfaea8e7a38fd1ec9a79f4839be1b0299d34fb3fb80174f477427bfb7d95f9327526e67b326a3ee0c861c5cfa849a6aa36
-
SSDEEP
3072:wjVCUVdwZ1VHTPxH+/2D3hGaLU5x7QsUeN7Iz:X2wZjHrxH+/YxGDjQsp2z
Malware Config
Extracted
icedid
1387823457
allertmnemonkik.com
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 49 3440 rundll32.exe 52 3440 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3440 rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\E: cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3440 rundll32.exe 3440 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1076 wrote to memory of 1576 1076 cmd.exe xcopy.exe PID 1076 wrote to memory of 1576 1076 cmd.exe xcopy.exe PID 1076 wrote to memory of 3440 1076 cmd.exe rundll32.exe PID 1076 wrote to memory of 3440 1076 cmd.exe rundll32.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Document_85_Copy_01-12.zip1⤵PID:872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1804
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c getgunputY\aidduecabj.cmd A B C D E F G H I J K L M N O P x R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\xcopy.exexcopy /s /i /e /h getgunputY\halterbreaking.dat C:\Users\Admin\AppData\Local\Temp\*2⤵PID:1576
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\halterbreaking.dat,init2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3440
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\halterbreaking.datFilesize
189KB
MD5c9f3dd6dddcd3beb7070d9f915219034
SHA1c3f080523dc1b8c444742f372b9d212743b8a503
SHA25665281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
SHA51241c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b
-
C:\Users\Admin\AppData\Local\Temp\halterbreaking.datFilesize
189KB
MD5c9f3dd6dddcd3beb7070d9f915219034
SHA1c3f080523dc1b8c444742f372b9d212743b8a503
SHA25665281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
SHA51241c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b
-
memory/1576-132-0x0000000000000000-mapping.dmp
-
memory/3440-133-0x0000000000000000-mapping.dmp
-
memory/3440-136-0x0000025EDDF70000-0x0000025EDDF79000-memory.dmpFilesize
36KB