Analysis
-
max time kernel
75s -
max time network
289s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-04-2023 13:06
Static task
static1
Behavioral task
behavioral1
Sample
opsuwp.dll
Resource
win7-20230220-en
windows7-x64
3 signatures
300 seconds
Behavioral task
behavioral2
Sample
opsuwp.dll
Resource
win10v2004-20230220-en
windows10-2004-x64
3 signatures
300 seconds
General
-
Target
opsuwp.dll
-
Size
285KB
-
MD5
9ab998c75a337aebfd1a5700edf913a1
-
SHA1
7dee076aa147d680bc3b032ce1fc985d86266e00
-
SHA256
5953f8f23092714626427316dd66ff2e160f03d2c57dcb1a4745d2e593c907ae
-
SHA512
626034ab533dbc8610fe4ead3ca02f74852ea825c04e5dcd29d1edef32f8fd29f36a5e777e4a1612da1f955dd912a5ec3fc38ddbf46cd4cbd0d1f8d995c4ea23
-
SSDEEP
6144:0M7fzNyxW2+E6jz98fTa628qFGMReiDJnD5K:0xW2N6GfiVGSz
Score
10/10
Malware Config
Extracted
Family
icedid
Botnet
998075300
C2
alishaskainz.com
villageskaier.com
Attributes
-
auth_var
56
-
url_path
/news/
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1812 932 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 932 wrote to memory of 1812 932 rundll32.exe WerFault.exe PID 932 wrote to memory of 1812 932 rundll32.exe WerFault.exe PID 932 wrote to memory of 1812 932 rundll32.exe WerFault.exe PID 676 wrote to memory of 1700 676 cmd.exe rundll32.exe PID 676 wrote to memory of 1700 676 cmd.exe rundll32.exe PID 676 wrote to memory of 1700 676 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\opsuwp.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 932 -s 842⤵
- Program crash
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 opsuwp.dll,init --ashego=license.dat2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1700-54-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/1700-58-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/1700-59-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/1700-60-0x0000000001C20000-0x0000000001C24000-memory.dmpFilesize
16KB