Resubmissions
07-03-2022 21:46
220307-1my3aagbh2 1028-02-2022 09:51
220228-lvldtsdhg4 1024-02-2022 19:51
220224-yk4hwaehap 1Analysis
-
max time kernel
1800s -
max time network
1635s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
07-03-2022 21:46
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20220223-en
windows7_x64
Behavioral task
behavioral2
Sample
core.bat
Resource
win10v2004-en-20220113
windows10-2004_x64
Behavioral task
behavioral3
Sample
strike64.dll
Resource
win7-20220223-en
windows7_x64
Behavioral task
behavioral4
Sample
strike64.dll
Resource
win10v2004-en-20220112
windows10-2004_x64
General
-
Target
core.bat
-
Size
184B
-
MD5
59aa96fcaa1a3b7331758f7a7ae1f343
-
SHA1
198ffe332e90207fdb7b97da04770b001c0c5cbf
-
SHA256
5be1931accf2a90e273312b779a873e847ad965e6e11c04e9b83603d4e6e7491
-
SHA512
c67253d6d602e150e85e121b2d8d9dedfa72c3ea1950d6a50a8e52a201f06ff9e701acee04b49e682158fb9860c77fd7ad117e20d9c4c8b03938e53e7d6e99c7
Malware Config
Extracted
icedid
Extracted
icedid
3560182600
coolbearblunts.com
cooldogblunts.com
-
auth_var
2
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 32 2296 rundll32.exe 34 2296 rundll32.exe 35 2296 rundll32.exe 36 2296 rundll32.exe 37 2296 rundll32.exe 38 2296 rundll32.exe 40 2296 rundll32.exe 42 2296 rundll32.exe 44 2296 rundll32.exe 45 2296 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 528 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3348 wrote to memory of 2296 3348 cmd.exe 81 PID 3348 wrote to memory of 2296 3348 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\strike64.tmp,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Bago1\Xucobu3\Acimuyfk64.dll",DllMain --eq="license.dat"1⤵
- Loads dropped DLL
PID:528