Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 20:44
Static task
static1
Behavioral task
behavioral1
Sample
New folder/Copy_Document_01-19.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
New folder/Copy_Document_01-19.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
New folder/fogduepetf/oftsaginnT.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
New folder/fogduepetf/oftsaginnT.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
New folder/fogduepetf/rencountering.dll
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
New folder/fogduepetf/rencountering.dll
Resource
win10v2004-20220812-en
General
-
Target
New folder/Copy_Document_01-19.lnk
-
Size
1KB
-
MD5
95174ee1b5da79b632d2ba14e5c25622
-
SHA1
a60ba4fb1ea86520aa10fc170665249e39fd5a38
-
SHA256
d52c73ab74ee564b66d6ec2195c4f6c28a26299b6ba55422c8bfd4f027c8f1b9
-
SHA512
164f285fc68fcae9ff3eec66ba77479afc52cf834fdff2743685c87e6fa03e73264bf51befeb3f5ea0a724181a3b1099738855325e988dfa8a168581ef134c55
Malware Config
Extracted
icedid
3108046779
klayerziluska.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 9 5020 rundll32.exe 37 5020 rundll32.exe 40 5020 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5020 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 5020 rundll32.exe 5020 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2912 wrote to memory of 4680 2912 cmd.exe cmd.exe PID 2912 wrote to memory of 4680 2912 cmd.exe cmd.exe PID 4680 wrote to memory of 1140 4680 cmd.exe xcopy.exe PID 4680 wrote to memory of 1140 4680 cmd.exe xcopy.exe PID 4680 wrote to memory of 5020 4680 cmd.exe rundll32.exe PID 4680 wrote to memory of 5020 4680 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\New folder\Copy_Document_01-19.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fogduepetf\oftsaginnT.cmd A B C D v F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h fogduepetf\rencountering.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\rencountering.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rencountering.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
C:\Users\Admin\AppData\Local\Temp\rencountering.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
memory/1140-133-0x0000000000000000-mapping.dmp
-
memory/4680-132-0x0000000000000000-mapping.dmp
-
memory/5020-134-0x0000000000000000-mapping.dmp
-
memory/5020-137-0x000001A7E4670000-0x000001A7E4679000-memory.dmpFilesize
36KB