Analysis
-
max time kernel
122s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 16:54
Static task
static1
Behavioral task
behavioral1
Sample
INV_Scan_Jan.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INV_Scan_Jan.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
hublamjogk/bowsaptoyU.cmd
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
hublamjogk/skysurfing.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
hublamjogk/skysurfing.dll
Resource
win10v2004-20220812-en
General
-
Target
INV_Scan_Jan.lnk
-
Size
1KB
-
MD5
fadc02361419018e406c6260200fa66c
-
SHA1
699e8bd78feaa75fbf411535a2f232038dc7af09
-
SHA256
4fbda5d7ac20f4ecef665c9379ea86f7dcc2ac7816c97601223f12a51a3e3e68
-
SHA512
96b87b914130e5eb5d96594797af7aaa6dc908028afead3d79d02912f20a333df0703a5972e228f268decf0d3821f005a0d716b2c69e7767dbc8495e21a4bfef
Malware Config
Extracted
icedid
886885680
umousteraton.com
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 7 2300 rundll32.exe 43 2300 rundll32.exe 47 2300 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2300 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2300 rundll32.exe 2300 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2324 wrote to memory of 3676 2324 cmd.exe cmd.exe PID 2324 wrote to memory of 3676 2324 cmd.exe cmd.exe PID 3676 wrote to memory of 3152 3676 cmd.exe xcopy.exe PID 3676 wrote to memory of 3152 3676 cmd.exe xcopy.exe PID 3676 wrote to memory of 2300 3676 cmd.exe rundll32.exe PID 3676 wrote to memory of 2300 3676 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\INV_Scan_Jan.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c hublamjogk\bowsaptoyU.cmd A B C D E F G H I J X L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h hublamjogk\skysurfing.dat C:\Users\Admin\AppData\Local\Temp\*3⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\skysurfing.dat,init3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\skysurfing.datFilesize
514KB
MD50b44756101b2f2a79341c08bfebbaf46
SHA1a7eee2811565316f074f3b3e97eb56c4298eebb4
SHA256ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd
SHA512a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794
-
C:\Users\Admin\AppData\Local\Temp\skysurfing.datFilesize
514KB
MD50b44756101b2f2a79341c08bfebbaf46
SHA1a7eee2811565316f074f3b3e97eb56c4298eebb4
SHA256ad174760985c5418b4a3c3a97cd8d7658e3bbb7030f72f2eff9ff97e57f200bd
SHA512a1d2003a31b7cf15d7b7ab1c9bb86ce4eb4a5d510349972677b5fcdceaf7d106eacb87f946c95d756a892dc962e4144f2bb184a3376e11e97e80f8e05b4ff794
-
memory/2300-134-0x0000000000000000-mapping.dmp
-
memory/2300-137-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3152-133-0x0000000000000000-mapping.dmp
-
memory/3676-132-0x0000000000000000-mapping.dmp