Analysis
-
max time kernel
418s -
max time network
1218s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
28-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
core.bat
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
planet64.dll
Resource
win7-20220223-en
Behavioral task
behavioral4
Sample
planet64.dll
Resource
win10-20220223-en
General
-
Target
core.bat
-
Size
184B
-
MD5
4da584cc0a5ded0c902627093ab8721b
-
SHA1
a6bb30b50718813a72cbd58ba148bc3c9a17c3f0
-
SHA256
bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c
-
SHA512
d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804
Malware Config
Extracted
icedid
Extracted
icedid
3415411565
antnosience.com
seaskysafe.com
-
auth_var
1
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 3 1880 rundll32.exe 5 1880 rundll32.exe 6 1880 rundll32.exe 7 1880 rundll32.exe 8 1880 rundll32.exe 9 1880 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe 840 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exetaskeng.exedescription pid process target process PID 1788 wrote to memory of 1880 1788 cmd.exe rundll32.exe PID 1788 wrote to memory of 1880 1788 cmd.exe rundll32.exe PID 1788 wrote to memory of 1880 1788 cmd.exe rundll32.exe PID 592 wrote to memory of 840 592 taskeng.exe rundll32.exe PID 592 wrote to memory of 840 592 taskeng.exe rundll32.exe PID 592 wrote to memory of 840 592 taskeng.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {C1E26A68-54FC-4EAF-81BF-E0E00225F0CE} S-1-5-21-1405931862-909307831-4085185274-1000:GZAATBZA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Admin\Okyomw.dll",DllMain --kaifye="license.dat"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Admin\Okyomw.dllMD5
a05501e3d5eb1263e66c6ba5f17ab2be
SHA1926886373b505b35536f8fa05f59428d4470f68b
SHA25632169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c
SHA512c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb
-
C:\Users\Admin\AppData\Roaming\license.datMD5
7eb64145636d2e8343d9077f15c11022
SHA1c0b221ca05431092bc1c789a33d199124c8fec1c
SHA25696e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a
SHA51253171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6
-
\Users\Admin\AppData\Roaming\Admin\Okyomw.dllMD5
a05501e3d5eb1263e66c6ba5f17ab2be
SHA1926886373b505b35536f8fa05f59428d4470f68b
SHA25632169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c
SHA512c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb
-
\Users\Admin\AppData\Roaming\Admin\Okyomw.dllMD5
a05501e3d5eb1263e66c6ba5f17ab2be
SHA1926886373b505b35536f8fa05f59428d4470f68b
SHA25632169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c
SHA512c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb
-
\Users\Admin\AppData\Roaming\Admin\Okyomw.dllMD5
a05501e3d5eb1263e66c6ba5f17ab2be
SHA1926886373b505b35536f8fa05f59428d4470f68b
SHA25632169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c
SHA512c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb
-
\Users\Admin\AppData\Roaming\Admin\Okyomw.dllMD5
a05501e3d5eb1263e66c6ba5f17ab2be
SHA1926886373b505b35536f8fa05f59428d4470f68b
SHA25632169f3fb98fc99785e4a1c1545a8fc969cefc6b005eda5845df73052f16cb0c
SHA512c45cb1651efbbb0bd939132424bdc9a1f9156fe8b9a37e212498b221924bffa925d769cd995e062c47371ed31952697929699f4e89d2b326dbb08dec54fb9aeb
-
memory/840-62-0x0000000001B20000-0x0000000001B79000-memory.dmpFilesize
356KB
-
memory/840-63-0x0000000000290000-0x0000000000295000-memory.dmpFilesize
20KB
-
memory/1880-55-0x0000000000150000-0x00000000001A9000-memory.dmpFilesize
356KB
-
memory/1880-56-0x0000000000110000-0x0000000000115000-memory.dmpFilesize
20KB