Analysis
-
max time kernel
543s -
max time network
546s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
20-01-2023 21:57
Static task
static1
Behavioral task
behavioral1
Sample
Copy_INV_01-20.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Copy_INV_01-20.lnk
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
wisbispodi/rajsoldabS.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
wisbispodi/rajsoldabS.cmd
Resource
win10-20220901-en
Behavioral task
behavioral5
Sample
wisbispodi/tunneling.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
wisbispodi/tunneling.dll
Resource
win10-20220812-en
General
-
Target
Copy_INV_01-20.lnk
-
Size
1KB
-
MD5
5900b90aa7c89d52dd2a78b71da2b570
-
SHA1
6acd798b509c629df3a817935e0c77e5dad22a6a
-
SHA256
a10c3835f7bdb8f30c1126d5ee27dfb74be5c4e73412be9d37a544c6f95ceb4d
-
SHA512
ca561013b6f4e9ec5de4e8facee720c16d2838f58ece67e71ba4a257f6ea46eb3fdcbcedf325813be249ec553af0bd4b144e1ac1c76719e6523f2c8e8f25a835
Malware Config
Extracted
icedid
886885680
umousteraton.com
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 2 4848 rundll32.exe 8 4848 rundll32.exe 9 4848 rundll32.exe 10 4848 rundll32.exe 11 4848 rundll32.exe 13 4848 rundll32.exe 18 4848 rundll32.exe 21 4848 rundll32.exe 22 4848 rundll32.exe 23 4848 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4848 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4848 rundll32.exe 4848 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1744 wrote to memory of 3788 1744 cmd.exe cmd.exe PID 1744 wrote to memory of 3788 1744 cmd.exe cmd.exe PID 3788 wrote to memory of 4424 3788 cmd.exe xcopy.exe PID 3788 wrote to memory of 4424 3788 cmd.exe xcopy.exe PID 3788 wrote to memory of 4848 3788 cmd.exe rundll32.exe PID 3788 wrote to memory of 4848 3788 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Copy_INV_01-20.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wisbispodi\rajsoldabS.cmd A B C D E F G H I J L L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h wisbispodi\tunneling.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\tunneling.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tunneling.datFilesize
514KB
MD50b44756101b2f2a79341c08bfebbaf46
SHA1a7eee2811565316f074f3b3e97eb56c4298eebb4
SHA256ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd
SHA512a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794
-
\Users\Admin\AppData\Local\Temp\tunneling.datFilesize
514KB
MD50b44756101b2f2a79341c08bfebbaf46
SHA1a7eee2811565316f074f3b3e97eb56c4298eebb4
SHA256ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd
SHA512a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794
-
memory/3788-116-0x0000000000000000-mapping.dmp
-
memory/4424-117-0x0000000000000000-mapping.dmp
-
memory/4848-118-0x0000000000000000-mapping.dmp
-
memory/4848-121-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB