Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
22-03-2022 16:29
Static task
static1
Behavioral task
behavioral1
Sample
certain_x32.dll
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
certain_x32.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
core.bat
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
core.bat
Resource
win10v2004-20220310-en
General
-
Target
core.bat
-
Size
190B
-
MD5
ffe13b16e8fc49b7114b5fbe78b9bf2f
-
SHA1
5119fefee31998163c3b8210c2d0f4a942ffc6ef
-
SHA256
7955fc62725dc72af34d1f61f85d15a87a1ad425456cf6b624963163cbf44dac
-
SHA512
5487f6a9c7aaf2ea8e18412a916d0e6e442bf1a301d485a174035e5f704fe1dab6040e5df65fa5f9c9506567b6895a3f6861853cc1a337e5ce2710e6577c5fa0
Malware Config
Extracted
icedid
3415411565
antnosience.com
seaskysafe.com
otectagain.top
dilimoretast.com
-
auth_var
17
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 64 3416 rundll32.exe 66 3416 rundll32.exe 68 3416 rundll32.exe 70 3416 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe 3416 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 2824 wrote to memory of 3416 2824 cmd.exe rundll32.exe PID 2824 wrote to memory of 3416 2824 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\certain_x32.dat,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
e9ad8fae2dd8f9d12e709af20d9aefad
SHA1db7d1545c3c7e60235700af672c1d20175b380cd
SHA25684f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
SHA5124f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f
-
memory/3416-134-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/3416-139-0x000001EE69970000-0x000001EE699CA000-memory.dmpFilesize
360KB