Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-06-2021 14:18
Static task
static1
Behavioral task
behavioral1
Sample
core/cmd.bat
Resource
win7v20210410
Behavioral task
behavioral2
Sample
core/cmd.bat
Resource
win10v20210408
Behavioral task
behavioral3
Sample
core/genre-64.dat.dll
Resource
win7v20210408
Behavioral task
behavioral4
Sample
core/genre-64.dat.dll
Resource
win10v20210408
General
-
Target
core/cmd.bat
-
Size
188B
-
MD5
18922a31adfef9144b9c68694a211b48
-
SHA1
1e63fbb6511e15ba07f555c11b2a05d63e49b5a3
-
SHA256
68867aec1fd8a6eb416081c747705e847de95c033f5b38eb57ea575c69397210
-
SHA512
573349edbae1baf769457402c65670b9d76facec7c056010a7b2a556d433d9176418cd4a2a39dd04654c3c4216019d27d47e15a6c1fd4f4fdcc57d5f98664a4a
Malware Config
Extracted
icedid
Extracted
icedid
987543880
fimlubindu.top
vindurualeg.top
bigcostarikas.top
extrimefigim.top
-
auth_var
8
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 16 580 rundll32.exe 18 580 rundll32.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{9C56E359-4ED7-E889-A0D0-890212DFC268} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{9C56E359-4ED7-E889-A0D0-890212DFC268}\ = 7326f71108cf34350e6f1030e0e51b5badd2aa61ce1308cc5b509ae01a6f5203e1883fbdf5c90b58c7938c18d1d15769e2f60490c53d230183f65c65ab8a4e451d5f4ac1b100d31a42624b573a2bc1345f1802f206046aa202c3147f4b89a8ed21e23fd56fda4f18e6d8fc1b54e8b6d572b5810fd683b704cba09ca02b4c4dc725cf16c59cf6552eae0ee4f774bd0168a9c6e31d6b318886ad8f338b9b95fcea672ec0d464154a3c51c0e5f0f26a23cc8c1821285ddd44e47c26cecc7b85f46629c39d71954ed78aab9da88b1073ea9298300bb89ab31598edfe264f56254c9e3970d51c63bb9f235edaf4aa3a2adc1ea474b40a70692a22405cdc187b629fc3bb8ca08a9632c97734d183aa91248be37f2c1dc38e3d4a0e58b50c42db1cf923fed2a4909624c5fbfeecffff7f7d4a4ca6d0aa03c0139b630132c519fbe92bf2dcad9a2fcc7939524536d04a5543d9082637d49ab8d5ccef9fb490067ce6dde29c27caf07533dd9d3bdfcf1663a91022b517fa68fdf0c98e83b414c5d56395879c225057b716ea623216d4fb6e7c504621cc4b3ba5843e4dd166659bc1bd93af01c292812fd787122128dd9d64d404c29c6337abfdebe06e20844c998ab40e732cca8d2ed1879da355762a5707c68d3f4b8f99143b4ad766ac4e2174d0046cb91efe6f334fca7d3ec7c03f5551fa91a111440f593423 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3628 wrote to memory of 580 3628 cmd.exe rundll32.exe PID 3628 wrote to memory of 580 3628 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\core\genre-64.dat,update /i:"license.dat"2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
3c6263a9c4117c78d26fc4380af014f2
SHA1eca410dd57af16227220e08067c1895c258eb92b
SHA25629d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
SHA5120969cde0d327b9f4b2be708437aea2a1d7a9ba9482125e143ce25c6a2f07e8ee1fa9b23e12f4e88157305f59209e2a8b3a2b2e7eb143b114e3f0c95ba57a2e1a
-
memory/580-114-0x0000000000000000-mapping.dmp
-
memory/580-116-0x0000021B4F000000-0x0000021B4F058000-memory.dmpFilesize
352KB
-
memory/580-117-0x0000021B4EC80000-0x0000021B4ECB7000-memory.dmpFilesize
220KB