Overview

overview

10

Static

static

core.bat

windows7_x64

10

core.bat

windows10_x64

10

strike64.dll

windows7_x64

1

strike64.dll

windows10_x64

1

Resubmissions

07-03-2022 21:46

220307-1my3aagbh2 10

28-02-2022 09:51

220228-lvldtsdhg4 10

24-02-2022 19:51

220224-yk4hwaehap 1

Analysis

  • max time kernel
    1199s
  • max time network
    1083s
  • platform
    windows10_x64
  • resource
    win10-20220223-en
  • submitted
    28-02-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    core.bat

Score
10/10
icedid3560182600bankertrojan

Malware Config

Extracted

Family

icedid

rsa_pubkey.plain

Extracted

Family

icedid

Botnet

3560182600

C2

coolbearblunts.com

cooldogblunts.com
Attributes
  • auth_var

    2

  • url_path

    /news/

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:4060
  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dll",DllMain --somota="license.dat"
    1⤵
    • Loads dropped DLL
    PID:3292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dll
    MD5

    f7f2caca6d312146d4b3b76a281b502f

    SHA1

    465004ef0504190e2031bd50361a437a2c50f7ff

    SHA256

    b80b8d8da191b0a575dbfd472945543a929d66990f321046fe6e003f2c45a578

    SHA512

    dad21a15ee64f8a9aff0167e6ed9926b5c1addf7a648ef14d1f7bb148da1e57b5451510c37576eb856a4d9c2fd29724b261e5278597c51d4acebcf4500ea4688

    Download Submit
  • C:\Users\Admin\AppData\Roaming\license.dat
    MD5

    7eb64145636d2e8343d9077f15c11022

    SHA1

    c0b221ca05431092bc1c789a33d199124c8fec1c

    SHA256

    96e657e1face63798a43e6210dba8d8c2f618d0be1230b95ab59d8bd23fc165a

    SHA512

    53171e09d3d146fe02e481944e1c5481f1bb48eaf66259d1b8bbbbf7a83efc4a73fc28089c7e1eacf221620cdff6ea7f1049c17720181fde88b4bdc27c1ea9b6

    Download Submit
  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Users\Admin\AppData\Local\{F046E788-CEBD-C891-47E6-95AD8954F6D9}\najeiw\Liehfads.dll
    MD5

    f7f2caca6d312146d4b3b76a281b502f

    SHA1

    465004ef0504190e2031bd50361a437a2c50f7ff

    SHA256

    b80b8d8da191b0a575dbfd472945543a929d66990f321046fe6e003f2c45a578

    SHA512

    dad21a15ee64f8a9aff0167e6ed9926b5c1addf7a648ef14d1f7bb148da1e57b5451510c37576eb856a4d9c2fd29724b261e5278597c51d4acebcf4500ea4688

    Download Submit
  • memory/3292-119-0x00000171973A0000-0x00000171973F9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/3292-121-0x0000017197000000-0x0000017197005000-memory.dmp
    Filesize

    20KB

    Download
  • memory/4060-115-0x000001521C480000-0x000001521C4D9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/4060-116-0x000001521C210000-0x000001521C215000-memory.dmp
    Filesize

    20KB

    Download