Overview
overview
10Static
static
INV_Scan_Jan.lnk
windows7-x64
10INV_Scan_Jan.lnk
windows10-2004-x64
10Requirements.lnk
windows7-x64
3Requirements.lnk
windows10-2004-x64
7hublamjogk...yU.cmd
windows7-x64
1hublamjogk...yU.cmd
windows10-2004-x64
1hublamjogk...ng.dll
windows7-x64
1hublamjogk...ng.dll
windows10-2004-x64
1projectt.py
windows7-x64
3projectt.py
windows10-2004-x64
3python.exe
windows7-x64
1python.exe
windows10-2004-x64
1pythonw.exe
windows7-x64
1pythonw.exe
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
INV_Scan_Jan.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INV_Scan_Jan.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Requirements.lnk
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
Requirements.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
hublamjogk/skysurfing.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
hublamjogk/skysurfing.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
projectt.py
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
projectt.py
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
python.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
python.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
pythonw.exe
Resource
win7-20221111-en
Behavioral task
behavioral14
Sample
pythonw.exe
Resource
win10v2004-20221111-en
General
-
Target
INV_Scan_Jan.lnk
-
Size
1KB
-
MD5
fadc02361419018e406c6260200fa66c
-
SHA1
699e8bd78feaa75fbf411535a2f232038dc7af09
-
SHA256
4fbda5d7ac20f4ecef665c9379ea86f7dcc2ac7816c97601223f12a51a3e3e68
-
SHA512
96b87b914130e5eb5d96594797af7aaa6dc908028afead3d79d02912f20a333df0703a5972e228f268decf0d3821f005a0d716b2c69e7767dbc8495e21a4bfef
Malware Config
Extracted
icedid
886885680
umousteraton.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 7 4528 rundll32.exe 62 4528 rundll32.exe 73 4528 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4528 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4528 rundll32.exe 4528 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 3836 wrote to memory of 2084 3836 cmd.exe cmd.exe PID 3836 wrote to memory of 2084 3836 cmd.exe cmd.exe PID 2084 wrote to memory of 2200 2084 cmd.exe xcopy.exe PID 2084 wrote to memory of 2200 2084 cmd.exe xcopy.exe PID 2084 wrote to memory of 4528 2084 cmd.exe rundll32.exe PID 2084 wrote to memory of 4528 2084 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\INV_Scan_Jan.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c hublamjogk\bowsaptoyU.cmd A B C D E F G H I J X L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h hublamjogk\skysurfing.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\skysurfing.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\skysurfing.datFilesize
514KB
MD50b44756101b2f2a79341c08bfebbaf46
SHA1a7eee2811565316f074f3b3e97eb56c4298eebb4
SHA256ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd
SHA512a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794
-
C:\Users\Admin\AppData\Local\Temp\skysurfing.datFilesize
514KB
MD50b44756101b2f2a79341c08bfebbaf46
SHA1a7eee2811565316f074f3b3e97eb56c4298eebb4
SHA256ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd
SHA512a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794
-
memory/2084-132-0x0000000000000000-mapping.dmp
-
memory/2200-133-0x0000000000000000-mapping.dmp
-
memory/4528-134-0x0000000000000000-mapping.dmp
-
memory/4528-137-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB