Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2023 13:14
Static task
static1
Behavioral task
behavioral1
Sample
Agenzia.url
Resource
win7-20231025-en
General
-
Target
Agenzia.url
-
Size
204B
-
MD5
3bed3fb03b12000c17c2f1fdfb6befe1
-
SHA1
36e60975b967f852f5ed31788e480336f5ce3ac3
-
SHA256
522f6cd72ee97eb4d00c2b3ef4c93c4f3396f3c6c8f85dd58655a0edcd0b865d
-
SHA512
b4bd6905634f6a64098fada9af984a5d97616eeabcaf0a482363ea759232dd4e887f4f0e854faf2366308a00d2ff292aab759bdfba8424d62b7869ba94e5a793
Malware Config
Extracted
systembc
62.173.140.37:4001
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 41 2816 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2816 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 5116 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.execontrol.exerundll32.exedescription pid process target process PID 5116 wrote to memory of 4304 5116 rundll32.exe control.exe PID 5116 wrote to memory of 4304 5116 rundll32.exe control.exe PID 4304 wrote to memory of 3936 4304 control.exe rundll32.exe PID 4304 wrote to memory of 3936 4304 control.exe rundll32.exe PID 3936 wrote to memory of 2816 3936 rundll32.exe rundll32.exe PID 3936 wrote to memory of 2816 3936 rundll32.exe rundll32.exe PID 3936 wrote to memory of 2816 3936 rundll32.exe rundll32.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia.url1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X7JAO703\config[1].cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X7JAO703\config[1].cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X7JAO703\config[1].cpl",4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2816
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5509b68725e595b30fb2f38c8ea2cf9c4
SHA11aff17b87ff213c1a8f4c8cfe48782e636b6fb32
SHA2564dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SHA512dc7a8e6404c3b1e2600c16c66ed023e6e5f7010efa96fa2c4c5abf8fe4a8c4847abd133a1198d4bb12224c93d4ede1ef1dfe1c6c584749160e9beff2a1585389
-
Filesize
1.6MB
MD5509b68725e595b30fb2f38c8ea2cf9c4
SHA11aff17b87ff213c1a8f4c8cfe48782e636b6fb32
SHA2564dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SHA512dc7a8e6404c3b1e2600c16c66ed023e6e5f7010efa96fa2c4c5abf8fe4a8c4847abd133a1198d4bb12224c93d4ede1ef1dfe1c6c584749160e9beff2a1585389