Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
core/cmd.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
core/cmd.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
core/lava_.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
core/lava_.dll
Resource
win10v2004-20241007-en
General
-
Target
core/cmd.bat
-
Size
185B
-
MD5
bac18ce4d5c2794b21ba4edbeb29b133
-
SHA1
f783b8dcb137890099d2fae754aa0685c3df027d
-
SHA256
251bc2dcfb073f229c16292b797dc08f89aa6aa91e32b44f5adb7466971e339a
-
SHA512
9b26df943e2781ee520e0f173c5f6a3dcff5c9a06200965ed16a51c666f79330a1b30282f73ce81d9ee5cb95465f986ada272207aec3b88cb6dbb99ed27ae8b3
Malware Config
Extracted
icedid
1525646893
survoning.top
engivesci.top
kastfiron.top
oscanonamik.buzz
-
auth_var
14
-
url_path
/news/
Extracted
icedid
Signatures
-
Icedid family
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe 2880 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2880 1860 cmd.exe 29 PID 1860 wrote to memory of 2880 1860 cmd.exe 29 PID 1860 wrote to memory of 2880 1860 cmd.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core\cmd.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\core\lava_.dat,update /i:"license.dat"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD53c6263a9c4117c78d26fc4380af014f2
SHA1eca410dd57af16227220e08067c1895c258eb92b
SHA25629d2a8344bd725d7a8b43cc77a82b3db57a5226ce792ac4b37e7f73ec468510e
SHA5120969cde0d327b9f4b2be708437aea2a1d7a9ba9482125e143ce25c6a2f07e8ee1fa9b23e12f4e88157305f59209e2a8b3a2b2e7eb143b114e3f0c95ba57a2e1a