Analysis
-
max time kernel
152s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
04-11-2021 16:55
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
core.bat
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
juice_64.tmp.dll
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
juice_64.tmp.dll
Resource
win10-en-20211014
General
-
Target
core.bat
-
Size
184B
-
MD5
00d922001e1ea040454c350b63619bd3
-
SHA1
b45abf4e6fe04d5e15514138ec4e5e020af0980d
-
SHA256
3b06cc4363bbc2dc5ec736e73b7807ac1beedd5bb8d08076f74736df17655157
-
SHA512
0de1ec67e3dfb55e89b309c0225da6f4db986eaa1cb4c0fd3b30526e594e74132cef82813e0201425a6aa0a8ed69dce4ca8f1ff8555433d5b68fad71b263aa6f
Malware Config
Extracted
icedid
1217670233
lakogrefop.rest
hangetilin.top
follytresh.co
novemberprosse.space
-
auth_var
13
-
url_path
/posts/
Extracted
icedid
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 764 rundll32.exe 5 764 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 300 rundll32.exe 300 rundll32.exe 300 rundll32.exe 300 rundll32.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\CLSID\{2EB848D3-8A17-C434-34FA-AA70B9100F8C}\ = 9ada0d13c43abb23566acf32fd2fa4a54d60a5eaee6d38d74eb41ae10efc493de667b5bfdaff08863cf285a7bbc39d4ed4b39565cedc3ac7285a09b4454414248937b910e4692320b70d5601bf425c5757432d14d93393b5d67f71dcb3dddbc4c9151ef2f786b751bd72cc31197ccc1ff30ee1f7bb6eb47535e44a1a2c494a4ba18d3555240a83c5a017f5eae9ec78af1c7eaf806349c766abdbbe943151241fa16061ad057d288842243158c1047c3c5d444059870ae5ec73f283a10876b6c8c5726830d2e763661d02ca902ccb90026aebdc3d4c8de570a78a30095a3a445e5d59dad366968e0768ba07e3f2fc78fd92aa90926fd479ac80bd540fcf8f3ccc9007b434fd96b60b5a41b99bae1fd58196b7d5b000c4945bfe7421495079b2ee1efbe8e2ee29f15ce972a189b10743493bd80ada06e234a512f3a977b70378291ea061e2ede56da044ac2926cf850767b79e2215cefce971f18321c8164600a160e1ed652d4094c465ce095a46595ecc1b7c29de8165c9959a3d590da510773254876502d8 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\CLSID\{2EB848D3-8A17-C434-34FA-AA70B9100F8C} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe 764 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exetaskeng.exedescription pid process target process PID 1896 wrote to memory of 764 1896 cmd.exe rundll32.exe PID 1896 wrote to memory of 764 1896 cmd.exe rundll32.exe PID 1896 wrote to memory of 764 1896 cmd.exe rundll32.exe PID 1864 wrote to memory of 300 1864 taskeng.exe rundll32.exe PID 1864 wrote to memory of 300 1864 taskeng.exe rundll32.exe PID 1864 wrote to memory of 300 1864 taskeng.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\juice_64.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {28D9DD5C-E5A9-40DC-9271-29724FC684B0} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\evim64\Zausks.dll",DllMain --imbauw="license.dat"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\evim64\Zausks.dllMD5
5bcb16eeb50d03f0f64dd32169d114e7
SHA1728535ce1b9bc2f0a975c81096c8f849e7c84f75
SHA256086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1
SHA512ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011
-
C:\Users\Admin\AppData\Roaming\license.datMD5
b03af34cc11c8bd53afd958c839dd59f
SHA1d9c90d8f770be66850ea0734580867c16d64b404
SHA25671c9c15896b027fd830423f6226587bdad3f09681799bf3e69abb0479f18a853
SHA512c33204f04a99272a1619a4fe6e3ba5e128c437968f8f570c12ffbf20a71e2b617535a70bf51f9d4ddcccc7f44804a13a4528ece4470e4ee53273ad1806313911
-
\Users\Admin\AppData\Local\evim64\Zausks.dllMD5
5bcb16eeb50d03f0f64dd32169d114e7
SHA1728535ce1b9bc2f0a975c81096c8f849e7c84f75
SHA256086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1
SHA512ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011
-
\Users\Admin\AppData\Local\evim64\Zausks.dllMD5
5bcb16eeb50d03f0f64dd32169d114e7
SHA1728535ce1b9bc2f0a975c81096c8f849e7c84f75
SHA256086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1
SHA512ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011
-
\Users\Admin\AppData\Local\evim64\Zausks.dllMD5
5bcb16eeb50d03f0f64dd32169d114e7
SHA1728535ce1b9bc2f0a975c81096c8f849e7c84f75
SHA256086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1
SHA512ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011
-
\Users\Admin\AppData\Local\evim64\Zausks.dllMD5
5bcb16eeb50d03f0f64dd32169d114e7
SHA1728535ce1b9bc2f0a975c81096c8f849e7c84f75
SHA256086be63f525269ef8e18f9dd8a232d495570065871a545bad5d514751c72dce1
SHA512ed046837097983656fc650f260f4c19a6d7d1b156d916628d1a500b7d49da96c87436d28e07b610ff849eda71251ad12dac20ba432dce73bfaee2009fdd93011
-
memory/300-59-0x0000000000000000-mapping.dmp
-
memory/300-65-0x0000000001B50000-0x0000000001BA8000-memory.dmpFilesize
352KB
-
memory/764-55-0x0000000000000000-mapping.dmp
-
memory/764-56-0x00000000002A0000-0x00000000002D7000-memory.dmpFilesize
220KB
-
memory/764-58-0x0000000001B20000-0x0000000001B78000-memory.dmpFilesize
352KB