Analysis
-
max time kernel
149s -
max time network
89s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
core.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
rely_x32.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
rely_x32.dll
Resource
win10v2004-20241007-en
General
-
Target
core.bat
-
Size
184B
-
MD5
d89cd3f80a0c0c1d6ef962509e593e88
-
SHA1
cd9835745e5c2170255c6e28f80b27482d37155b
-
SHA256
6799f0bb30fec071f472a8c71d85ac59c39e3f6d9e9901628fef5b8698f49fe1
-
SHA512
0dba4611d2750ceed996555cec347098853d51154335a45d3a828ff5ba50e34698fdfc2f8f48c22a8da4cd7077ae0a97b6b88ebbe55e4a814cfd036519cd9eaf
Malware Config
Extracted
icedid
3415411565
antnosience.com
seaskysafe.com
otectagain.top
dilimoretast.com
-
auth_var
17
-
url_path
/news/
Signatures
-
Icedid family
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe 2276 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2276 2172 cmd.exe 30 PID 2172 wrote to memory of 2276 2172 cmd.exe 30 PID 2172 wrote to memory of 2276 2172 cmd.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\core.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\rely_x32.dat,DllMain /i="license.dat"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD5e9ad8fae2dd8f9d12e709af20d9aefad
SHA1db7d1545c3c7e60235700af672c1d20175b380cd
SHA25684f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
SHA5124f652b4d2db81bd91e8a9cd8ca330748f7c98b21150ca2b640da2aad357adadeac80070177f9f253c595d683264d23e1f04701c2975c0e03caffd367d424d17f