Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
24-11-2021 17:04
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
core.bat
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
group_32.tmp.dll
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
group_32.tmp.dll
Resource
win10-en-20211014
General
-
Target
core.bat
-
Size
184B
-
MD5
7ad0df2088d6f4b4f1ab680985460161
-
SHA1
2611de6578b61c2f806ddd5d2bdab3c284936167
-
SHA256
550b39c60eca29760f353e42deffac5f8c7dcfd5b9f44132ba2ed29f6d0293f8
-
SHA512
82571323d4beffae2417e2e4231faba8609fc0b7fd178d942ed5ad3113b44d4ecb2d150bcb963c0c42ce9a4847d0e8535312675f6b7837e4b6c316ecec004261
Malware Config
Extracted
icedid
Extracted
icedid
2237127122
lokidasterreno.site
burgomustopr.rest
lopityr4.pw
rocesdilin.top
-
auth_var
6
-
url_path
/posts/
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 25 3696 rundll32.exe 26 3696 rundll32.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{5DF9B473-799E-2B3A-B1AA-5F5F7BEF56E5} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{5DF9B473-799E-2B3A-B1AA-5F5F7BEF56E5}\ = ce3b5a7e17dc5b48ba3f6c548e8d0fce5c8d2f2c3138b4fd5d1606e932737fcd79c56af158aef6b7fb2b38ae66a189bf95beaed3e3ea5cb4cb1c27868031beca47f62e0a629357644042c7494626942a34964ddfc02e725b30ef4b7e62330bf5450bedab829b959e33f5e76b46e6cc688a1d34f26783bba51179455c8bdfd8d5fdeb60ae00b4b43db801e37a3cd80d535d45c600677745c21b25a99e3ecf111aa266622d45dd1830761edd99a5892051be95a20e60a693a4012e374f23d5c3ba1672b1946735aa7c2a475e581086c6a60ae2643556452c4a54b39aa3c884344ba41a2b3648db1c7bf77d06b205f96ba1472c6950cd9bbc0ee976ac0ee6b663ac932edecd05e0ef66ae5c035132 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe 3696 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 2432 wrote to memory of 3696 2432 cmd.exe rundll32.exe PID 2432 wrote to memory of 3696 2432 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\group_32.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
c7c45636ca690acdab7fba1e9d126f8b
SHA161376304cd90786813a80680a92cef03fedb6484
SHA256cfc202b44509f2f607d365858a8218dfdc6b26f8087efcc5e46f4fef9ab53705
SHA5129e6c7df9f70017b9eeb5868a358bc9eaf50de65dad04640220f380ff72e80bc303f034cb62929abb0c35d951b751732a131ae828c4c01cd1826610423f784db8
-
memory/3696-115-0x0000000000000000-mapping.dmp
-
memory/3696-117-0x0000021BA41A0000-0x0000021BA41F9000-memory.dmpFilesize
356KB
-
memory/3696-118-0x0000021BA2790000-0x0000021BA27C7000-memory.dmpFilesize
220KB