69c4f3bc5529244ac3b9af91a98e0f15f859c61e53162aa3c7341d5973e894a6 | Triage

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-09-2022 15:13

Sharing

Report Analysis Logs

General

Target

icedID-06.09.2020/rap/enquire.bat
Size

1KB
MD5

6a169bbf9da5a30adbdaa7d57f74644a
SHA1

4a9f3d17e4db056004dcf6b25a543aa3fc8e10be
SHA256

1a762b504316a625d6cf618804d7f2adae1278c91f4100e67294ef4d9ea81fd7
SHA512

5592ceab605cb5ab39f5f1a610eca533fead47827c7403349486dd8876c9715f83e2f4e3e3151a73749f7da60e604f22119719235081b0806e6eff6d6b5009af

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1788 wrote to memory of 1600	1788	cmd.exe	rundll32.exe
PID 1788 wrote to memory of 1600	1788	cmd.exe	rundll32.exe
PID 1788 wrote to memory of 1600	1788	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\icedID-06.09.2020\rap\enquire.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\rundll32.exe
rundll32 rap\reconsolidating.dll,#1
2⤵
PID:1600

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-54-0x0000000000000000-mapping.dmp

Download