Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10-2004_x64

10

Resubmissions

22-02-2022 16:10

220222-tmhlzabher 10

22-02-2022 15:50

220222-s98w1abgbn 10

18-02-2022 16:30

220218-tz5bhacfh4 10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    18-02-2022 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

  • Size

    184B

  • MD5

    03c55a40355cc8cb2c4af585e4a11973

  • SHA1

    207f004ca7a37ef43dded36dfd4cfa7e301f16f1

  • SHA256

    e59c7732e2cbb40e8bc74f3fd5a59a578d56322410f42234189939ff33b4f015

  • SHA512

    a842f632ef1aa91dafa75634a692f55e74097378fd48b7265c39366de656f45441d54822eddd0c66523f3e78c13840adfbc500b9622d7bc74415fac6b1181aa3

Score
10/10
icedidbankercollectionspywarestealertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs
    collection
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\pudding-.dat,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Accesses Microsoft Outlook profiles
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3112
      • C:\Windows\system32\cmd.exe
        cmd.exe /c chcp >&2
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\system32\chcp.com
          chcp
          4⤵
            PID:544
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3388
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          3⤵
          • Gathers network information
          PID:1328
        • C:\Windows\system32\systeminfo.exe
          systeminfo
          3⤵
          • Gathers system information
          PID:3932
        • C:\Windows\system32\net.exe
          net config workstation
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 config workstation
            4⤵
              PID:1184
          • C:\Windows\system32\nltest.exe
            nltest /domain_trusts
            3⤵
              PID:3040
            • C:\Windows\system32\nltest.exe
              nltest /domain_trusts /all_trusts
              3⤵
                PID:2352
              • C:\Windows\system32\net.exe
                net view /all /domain
                3⤵
                • Discovers systems in the same network
                PID:3260
              • C:\Windows\system32\net.exe
                net view /all
                3⤵
                • Discovers systems in the same network
                PID:620
              • C:\Windows\system32\net.exe
                net group "Domain Admins" /domain
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3176
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 group "Domain Admins" /domain
                  4⤵
                    PID:2292
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
              1⤵
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:1820
            • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
              C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
              1⤵
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:3420

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\sqlite64.dll
              MD5

              26d773a69f6fad3200d49a7aaa77752b

              SHA1

              3970ffe8aefe0c30daaec65b85fb103c0fc0f2a7

              SHA256

              fca6b7fe66ad9973f18f407e83b56dacd04197cbd35efc498a342d73d6a113e5

              SHA512

              0041b52514460dda19dd065fc46393f6fbe248a4c62fce28e0819abd952756996b34fdea286eb7814a7c868a12656a065278932760e61e53f7102b0dba324e4f

              Download Submit

            • C:\Users\Admin\AppData\Roaming\license.dat
              MD5

              7eb64145636d2e8343d9077f15c11022

              SHA1

              c0b221ca05431092bc1c789a33d199124c8fec1c

              SHA256

              96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

              SHA512

              53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

              Download Submit

            • memory/1820-133-0x000001A84F320000-0x000001A84F330000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1820-134-0x000001A84F540000-0x000001A84F550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1820-135-0x000001A851A60000-0x000001A851A64000-memory.dmp

              Filesize

              16KB

              Download

            • memory/3112-137-0x000002209F5B0000-0x000002209F609000-memory.dmp

              Filesize

              356KB

              Download

            • memory/3112-138-0x000002209F590000-0x000002209F595000-memory.dmp

              Filesize

              20KB

              Download