Analysis
-
max time kernel
1328s -
max time network
1230s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
core.bat
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
planet64.dll
Resource
win7-20220223-en
Behavioral task
behavioral4
Sample
planet64.dll
Resource
win10-20220223-en
General
-
Target
core.bat
-
Size
184B
-
MD5
4da584cc0a5ded0c902627093ab8721b
-
SHA1
a6bb30b50718813a72cbd58ba148bc3c9a17c3f0
-
SHA256
bcc176e2ec1bddb1518bcacb07fef99fe1812e204e990424549f11862aaa757c
-
SHA512
d611696d95dd76f1c3f7ab90c370ccb734f1912ff340d28c5a050d0fb072c7914c3bd15ea30f8f2873fdb17f0b93da92eaa7eecc3b245e23c972c700777be804
Malware Config
Extracted
icedid
Extracted
icedid
3415411565
antnosience.com
seaskysafe.com
-
auth_var
1
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 18 2068 rundll32.exe 20 2068 rundll32.exe 23 2068 rundll32.exe 24 2068 rundll32.exe 28 2068 rundll32.exe 30 2068 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe 2068 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1772 wrote to memory of 2068 1772 cmd.exe rundll32.exe PID 1772 wrote to memory of 2068 1772 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\planet64.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
7eb64145636d2e8343d9077f15c11022
SHA1c0b221ca05431092bc1c789a33d199124c8fec1c
SHA25696e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a
SHA51253171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6
-
memory/2068-116-0x000001EA142E0000-0x000001EA14339000-memory.dmpFilesize
356KB
-
memory/2068-117-0x000001EA129E0000-0x000001EA129E5000-memory.dmpFilesize
20KB