Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-06-2021 14:18
Static task
static1
Behavioral task
behavioral1
Sample
core/cmd.bat
Resource
win7v20210410
Behavioral task
behavioral2
Sample
core/cmd.bat
Resource
win10v20210408
Behavioral task
behavioral3
Sample
core/genre-64.dat.dll
Resource
win7v20210408
Behavioral task
behavioral4
Sample
core/genre-64.dat.dll
Resource
win10v20210408
General
-
Target
core/cmd.bat
-
Size
188B
-
MD5
18922a31adfef9144b9c68694a211b48
-
SHA1
1e63fbb6511e15ba07f555c11b2a05d63e49b5a3
-
SHA256
68867aec1fd8a6eb416081c747705e847de95c033f5b38eb57ea575c69397210
-
SHA512
573349edbae1baf769457402c65670b9d76facec7c056010a7b2a556d433d9176418cd4a2a39dd04654c3c4216019d27d47e15a6c1fd4f4fdcc57d5f98664a4a
Malware Config
Extracted
icedid
Extracted
icedid
987543880
fimlubindu.top
vindurualeg.top
bigcostarikas.top
extrimefigim.top
-
auth_var
8
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 2004 rundll32.exe 6 2004 rundll32.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{E6AB5750-EA5C-083E-FBB2-6959D4C53546} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\CLSID\{E6AB5750-EA5C-083E-FBB2-6959D4C53546}\ = 5fc87ad0a9fe0d02f448a28f2447ac9301681fd879297fd65cd259800ae78e35d473194eed4dc97bf73bc03ac0284c6f61b6e4c0ddb965e2d36e1883f8120ae32e67be5b7662209286807a7eb16920a510f45cd7771f6ea00143549f5b0164b306504451adf537fcb4f770d57d1593e40d5153e07a3d86fd5c6a335efea56279d49681bf0f38ea486331dc83ae187220551c868ea18cef8a9338cfcdf8c594b69107f3be2968d3095aca98255f5525cd8b18a1e8fd6d7c50c6e16c7bb369de9bb88ab2df58af66a380af91ae03450158c519a6f774aa00a19618b5077aab8177148df4ed7cbf1d603eca8cfed4354aa75f623f465e04a763e1ed652dc0d464951040ce036b2b5c4cc00f64b89aa8d5b68a87ef0ad3983f152cdf177032d79bf2d76fc3e0fe703fde8fb39bad041954bb0eace8e26f2393ef7f672846dd18b0367ede821be6723b53c475b0daad17f76768d605c39d64b7eb9d3bc812c6d5e3556620484f4d47c718f8fd3ebf9e38590dbb1a733588e5c210f4f07634028f3b38da83274f433c51c0e3b1e071a351ed63b00baf094ccf1c7ca88376954e4346c28e3ccb14d483a99def9118706b48b2873f152c5fd71042df9f7096ce1077a800e4f6f7fbfaf9fa73fd8a2c56f89ea98db24a3a2a3c4ad7e66c6e118cf476335dcce5ebf56c3a55c265f100612b9d03ee6d22926ebcef rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe 2004 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 540 wrote to memory of 2004 540 cmd.exe rundll32.exe PID 540 wrote to memory of 2004 540 cmd.exe rundll32.exe PID 540 wrote to memory of 2004 540 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\core\genre-64.dat,update /i:"license.dat"2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
3c6263a9c4117c78d26fc4380af014f2
SHA1eca410dd57af16227220e08067c1895c258eb92b
SHA25629d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
SHA5120969cde0d327b9f4b2be708437aea2a1d7a9ba9482125e143ce25c6a2f07e8ee1fa9b23e12f4e88157305f59209e2a8b3a2b2e7eb143b114e3f0c95ba57a2e1a
-
memory/2004-60-0x0000000000000000-mapping.dmp
-
memory/2004-62-0x0000000001C80000-0x0000000001CD8000-memory.dmpFilesize
352KB
-
memory/2004-63-0x0000000001C40000-0x0000000001C77000-memory.dmpFilesize
220KB