Resubmissions
07-03-2022 21:46
220307-1my3aagbh2 1028-02-2022 09:51
220228-lvldtsdhg4 1024-02-2022 19:51
220224-yk4hwaehap 1Analysis
-
max time kernel
1200s -
max time network
1077s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
core.bat
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
strike64.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
strike64.dll
Resource
win10-20220223-en
General
-
Target
core.bat
Malware Config
Extracted
icedid
Extracted
icedid
3560182600
coolbearblunts.com
cooldogblunts.com
-
auth_var
2
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 9 IoCs
Processes:
rundll32.exeflow pid process 3 944 rundll32.exe 5 944 rundll32.exe 7 944 rundll32.exe 8 944 rundll32.exe 10 944 rundll32.exe 11 944 rundll32.exe 12 944 rundll32.exe 13 944 rundll32.exe 15 944 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe 736 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe 944 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exetaskeng.exedescription pid process target process PID 1752 wrote to memory of 944 1752 cmd.exe rundll32.exe PID 1752 wrote to memory of 944 1752 cmd.exe rundll32.exe PID 1752 wrote to memory of 944 1752 cmd.exe rundll32.exe PID 1680 wrote to memory of 736 1680 taskeng.exe rundll32.exe PID 1680 wrote to memory of 736 1680 taskeng.exe rundll32.exe PID 1680 wrote to memory of 736 1680 taskeng.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {101F68E3-238C-4B35-A158-78175ACB2616} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Admin\Juinatct.dll",DllMain --er="license.dat"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Admin\Juinatct.dllMD5
6b8b858fd157b938f44f7b969661abb6
SHA162755899e9b53417346d5dc15aa983a5707e987e
SHA256e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b
SHA512a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e
-
C:\Users\Admin\AppData\Roaming\license.datMD5
7eb64145636d2e8343d9077f15c11022
SHA1c0b221ca05431092bc1c789a33d199124c8fec1c
SHA25696e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a
SHA51253171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6
-
\Users\Admin\AppData\Local\Admin\Juinatct.dllMD5
6b8b858fd157b938f44f7b969661abb6
SHA162755899e9b53417346d5dc15aa983a5707e987e
SHA256e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b
SHA512a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e
-
\Users\Admin\AppData\Local\Admin\Juinatct.dllMD5
6b8b858fd157b938f44f7b969661abb6
SHA162755899e9b53417346d5dc15aa983a5707e987e
SHA256e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b
SHA512a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e
-
\Users\Admin\AppData\Local\Admin\Juinatct.dllMD5
6b8b858fd157b938f44f7b969661abb6
SHA162755899e9b53417346d5dc15aa983a5707e987e
SHA256e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b
SHA512a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e
-
\Users\Admin\AppData\Local\Admin\Juinatct.dllMD5
6b8b858fd157b938f44f7b969661abb6
SHA162755899e9b53417346d5dc15aa983a5707e987e
SHA256e4a27938424a84cbdddb42af1d777c054f64c38c8c98179b804e408342d4ae9b
SHA512a36bade31fea29affcebc23845d0e704f31fbaef11a481a2c0f1920a0a2eb38719e573cd1b14fcb102e8103dc99cc2a3536d74db5f8224cc4ff239f74317200e
-
memory/736-62-0x0000000001CC0000-0x0000000001D19000-memory.dmpFilesize
356KB
-
memory/736-63-0x00000000000A0000-0x00000000000A5000-memory.dmpFilesize
20KB
-
memory/944-55-0x0000000001BE0000-0x0000000001C39000-memory.dmpFilesize
356KB
-
memory/944-56-0x0000000000290000-0x0000000000295000-memory.dmpFilesize
20KB