Resubmissions
07-03-2022 21:46
220307-1my3aagbh2 1028-02-2022 09:51
220228-lvldtsdhg4 1024-02-2022 19:51
220224-yk4hwaehap 1Analysis
-
max time kernel
1199s -
max time network
1083s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
28-02-2022 09:51
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
core.bat
Resource
win10-20220223-en
Behavioral task
behavioral3
Sample
strike64.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
strike64.dll
Resource
win10-20220223-en
General
-
Target
core.bat
Malware Config
Extracted
icedid
Extracted
icedid
3560182600
coolbearblunts.com
cooldogblunts.com
-
auth_var
2
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 11 4060 rundll32.exe 13 4060 rundll32.exe 14 4060 rundll32.exe 15 4060 rundll32.exe 16 4060 rundll32.exe 17 4060 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3292 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 3948 wrote to memory of 4060 3948 cmd.exe rundll32.exe PID 3948 wrote to memory of 4060 3948 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dll",DllMain --somota="license.dat"1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dllMD5
f7f2caca6d312146d4b3b76a281b502f
SHA1465004ef0504190e2031bd50361a437a2c50f7ff
SHA256b80b8d8da191b0a575dbfd472945543a929d66990f321046fe6e003f2c45a578
SHA512dad21a15ee64f8a9aff0167e6ed9926b5c1addf7a648ef14d1f7bb148da1e57b5451510c37576eb856a4d9c2fd29724b261e5278597c51d4acebcf4500ea4688
-
C:\Users\Admin\AppData\Roaming\license.datMD5
7eb64145636d2e8343d9077f15c11022
SHA1c0b221ca05431092bc1c789a33d199124c8fec1c
SHA25696e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a
SHA51253171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dllMD5
f7f2caca6d312146d4b3b76a281b502f
SHA1465004ef0504190e2031bd50361a437a2c50f7ff
SHA256b80b8d8da191b0a575dbfd472945543a929d66990f321046fe6e003f2c45a578
SHA512dad21a15ee64f8a9aff0167e6ed9926b5c1addf7a648ef14d1f7bb148da1e57b5451510c37576eb856a4d9c2fd29724b261e5278597c51d4acebcf4500ea4688
-
memory/3292-119-0x00000171973A0000-0x00000171973F9000-memory.dmpFilesize
356KB
-
memory/3292-121-0x0000017197000000-0x0000017197005000-memory.dmpFilesize
20KB
-
memory/4060-115-0x000001521C480000-0x000001521C4D9000-memory.dmpFilesize
356KB
-
memory/4060-116-0x000001521C210000-0x000001521C215000-memory.dmpFilesize
20KB