Analysis
-
max time kernel
134s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2023 13:07
Static task
static1
Behavioral task
behavioral1
Sample
Agenzia_Entrate.url
Resource
win7-20231020-en
General
-
Target
Agenzia_Entrate.url
-
Size
204B
-
MD5
111a51917160126faf0de997749c4a84
-
SHA1
4b872bf6d21caa3e3c56b380ddf0f7accb3343de
-
SHA256
3c18e64435871f8e9fd9c1d379f6cb76f4a5e8c5734386ff9ae10e35fb666112
-
SHA512
c127498748011824f160e251335414471f28e74218f6d7a4850c4e470e3147741a0ec623a695e8b55f84410c826fd39fd82a86ce37dca0771493fb47f114ec6c
Malware Config
Extracted
systembc
62.173.140.37:4001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 77 1780 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1780 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 1276 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.execontrol.exerundll32.exedescription pid process target process PID 1276 wrote to memory of 4864 1276 rundll32.exe control.exe PID 1276 wrote to memory of 4864 1276 rundll32.exe control.exe PID 4864 wrote to memory of 2068 4864 control.exe rundll32.exe PID 4864 wrote to memory of 2068 4864 control.exe rundll32.exe PID 2068 wrote to memory of 1780 2068 rundll32.exe rundll32.exe PID 2068 wrote to memory of 1780 2068 rundll32.exe rundll32.exe PID 2068 wrote to memory of 1780 2068 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate.url1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\config[1].cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\config[1].cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\config[1].cpl",4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1780
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5509b68725e595b30fb2f38c8ea2cf9c4
SHA11aff17b87ff213c1a8f4c8cfe48782e636b6fb32
SHA2564dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SHA512dc7a8e6404c3b1e2600c16c66ed023e6e5f7010efa96fa2c4c5abf8fe4a8c4847abd133a1198d4bb12224c93d4ede1ef1dfe1c6c584749160e9beff2a1585389
-
Filesize
1.6MB
MD5509b68725e595b30fb2f38c8ea2cf9c4
SHA11aff17b87ff213c1a8f4c8cfe48782e636b6fb32
SHA2564dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SHA512dc7a8e6404c3b1e2600c16c66ed023e6e5f7010efa96fa2c4c5abf8fe4a8c4847abd133a1198d4bb12224c93d4ede1ef1dfe1c6c584749160e9beff2a1585389