Analysis
-
max time kernel
132s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-01-2023 13:59
Static task
static1
Behavioral task
behavioral1
Sample
Paid_Offer_83_Jan_19.iso
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Paid_Offer_83_Jan_19.iso
Resource
win10v2004-20221111-en
General
-
Target
Paid_Offer_83_Jan_19.iso
-
Size
2.1MB
-
MD5
ff20b342043378b018b88b39d572dfc5
-
SHA1
d69b4ef00f4635c01302767bbdbb0a24bd7bb9fa
-
SHA256
2189c2323d2e626f7daa81eeccb6cfb225d3866a0d4532aef070711ac59b09c7
-
SHA512
e428688b9ef005a1e2ab75a3e2b25b0887bbdac44d145e9cb2957f050d3aa26782157acb82d03755fb487fe15539d3ab44d68fac4cc20cd7565a6c290e49f00a
-
SSDEEP
24576:rkmZDEMHhp9v1Ikbn3ND0TAVOsIut8P4zlIKE2r/7Bk:QmZFHhp9v1Io3h0TA3pJk
Malware Config
Extracted
icedid
3108046779
klayerziluska.com
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1692 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1716 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1692 rundll32.exe 1692 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
AUDIODG.EXE7zG.exedescription pid process Token: 33 1856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1856 AUDIODG.EXE Token: 33 1856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1856 AUDIODG.EXE Token: SeRestorePrivilege 1208 7zG.exe Token: 35 1208 7zG.exe Token: SeSecurityPrivilege 1208 7zG.exe Token: SeSecurityPrivilege 1208 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 1208 7zG.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 1168 wrote to memory of 540 1168 cmd.exe isoburn.exe PID 1168 wrote to memory of 540 1168 cmd.exe isoburn.exe PID 1168 wrote to memory of 540 1168 cmd.exe isoburn.exe PID 904 wrote to memory of 1100 904 cmd.exe xcopy.exe PID 904 wrote to memory of 1100 904 cmd.exe xcopy.exe PID 904 wrote to memory of 1100 904 cmd.exe xcopy.exe PID 904 wrote to memory of 1692 904 cmd.exe rundll32.exe PID 904 wrote to memory of 1692 904 cmd.exe rundll32.exe PID 904 wrote to memory of 1692 904 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Paid_Offer_83_Jan_19.iso1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Paid_Offer_83_Jan_19.iso"2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Paid_Offer_83_Jan_19\" -spe -an -ai#7zMap25875:120:7zEvent280201⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ragpewleaK\lawfinledr.cmd A B C D I F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\overprogramming.dat,init2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Paid_Offer_83_Jan_19\ragpewleaK\lawfinledr.cmdFilesize
1KB
MD5880e05a13f96ec1966bebc56ce28ac96
SHA11e6ec2192a1d600345ea70943a88a393207535bb
SHA256e6e9765ed0af3c72e79d8685b1ecbe57e1e3e0c05cdce7191e7edc7bfd16e086
SHA512c2baaff90e0a667dd9f9fdb43a61435b33c5e35b2b38cfe6868ef6e0f488965555afd93f096e0d94cc7d9c9a241d1e4b37f508653e03de00aabb0e44f45bf015
-
C:\Paid_Offer_83_Jan_19\ragpewleaK\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
C:\Users\Admin\AppData\Local\Temp\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
\Users\Admin\AppData\Local\Temp\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
memory/540-76-0x0000000000000000-mapping.dmp
-
memory/1100-86-0x0000000000000000-mapping.dmp
-
memory/1168-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmpFilesize
8KB
-
memory/1692-88-0x0000000000000000-mapping.dmp
-
memory/1692-91-0x0000000000110000-0x0000000000119000-memory.dmpFilesize
36KB