Analysis
-
max time kernel
4294211s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
25-03-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
core/cmd.bat
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
core/cmd.bat
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
core/paper_x32.dll
Resource
win7-20220311-en
Behavioral task
behavioral4
Sample
core/paper_x32.dll
Resource
win10v2004-en-20220113
General
-
Target
core/cmd.bat
-
Size
191B
-
MD5
3cec7da4286fb8df01a057c04cc16b34
-
SHA1
be35d3e4fd882a807495f1dec189d09324b79612
-
SHA256
9eab93f08e471564ec1512005abb8e055119eefa66d12296487351e546aeb56c
-
SHA512
4d026d0dddf21aa105c9c0b45f791c5651c7dffb89701bf52fb71c7954648687f1be996d30c48ebe923794aeec31730f3dedb4df2e69b70c72f8dce0ed4d8d00
Malware Config
Extracted
icedid
3415411565
antnosience.com
seaskysafe.com
otectagain.top
dilimoretast.com
-
auth_var
18
-
url_path
/news/
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 3 1644 rundll32.exe 5 1644 rundll32.exe 7 1644 rundll32.exe 9 1644 rundll32.exe 11 1644 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1532 wrote to memory of 1644 1532 cmd.exe rundll32.exe PID 1532 wrote to memory of 1644 1532 cmd.exe rundll32.exe PID 1532 wrote to memory of 1644 1532 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\core\paper_x32.dat,DllMain --ma="license.dat"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\license.datMD5
e9ad8fae2dd8f9d12e709af20d9aefad
SHA1db7d1545c3c7e60235700af672c1d20175b380cd
SHA25684f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
SHA5124f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f
-
memory/1644-54-0x0000000000000000-mapping.dmp
-
memory/1644-55-0x0000000180000000-0x0000000180005000-memory.dmpFilesize
20KB
-
memory/1644-60-0x0000000000350000-0x00000000003AA000-memory.dmpFilesize
360KB