Analysis
-
max time kernel
4294213s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
23-03-2022 19:08
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
core.bat
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
health-x64.dll
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
health-x64.dll
Resource
win10v2004-en-20220113
General
-
Target
core.bat
-
Size
188B
-
MD5
1bc88881c82f35426e48f27de5c98003
-
SHA1
766fb820b706f21dd3d37efac8e937daf485d9f7
-
SHA256
eec0e5a1a8a21e713fe480883a9869a894c80a409ea06929de805e05c1ee14d6
-
SHA512
5c1d72bf225d8d07141b52cfcf22f13f8e2d0c34b6ed22d0adc6e68b3cf767ff54415c7178a8f6db2e66e819f28285cf9d1680777285138f7f8b08a83d8fa009
Malware Config
Extracted
icedid
3036889562
stooryallice.com
yellowpyrrol.com
roomdetect.com
environmentbest.top
-
auth_var
3
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 3 308 rundll32.exe 5 308 rundll32.exe 7 308 rundll32.exe 9 308 rundll32.exe 11 308 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe 308 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1616 wrote to memory of 308 1616 cmd.exe rundll32.exe PID 1616 wrote to memory of 308 1616 cmd.exe rundll32.exe PID 1616 wrote to memory of 308 1616 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\health-x64.dat,DllMain /i="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:308
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
e9ad8fae2dd8f9d12e709af20d9aefad
SHA1db7d1545c3c7e60235700af672c1d20175b380cd
SHA25684f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
SHA5124f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f
-
memory/308-54-0x0000000000000000-mapping.dmp
-
memory/308-55-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/308-60-0x00000000002E0000-0x000000000033A000-memory.dmpFilesize
360KB