Analysis

  • max time kernel
    68s
  • max time network
    75s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    15-07-2020 08:20

General

  • Target

    2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll

  • Size

    159KB

  • MD5

    df13fa6863bf439d737c01966b487e69

  • SHA1

    c2b99b05a4dd23c3cf96f9e23a5f8c88ab89763f

  • SHA256

    a421e1ac6cd39b7709d8929329b2135cb0f1eaea48edc296d03f0b3f41058282

  • SHA512

    0e583fa19b144df61a7c72793a06773226b36eddbf2587ab5c6c7c68210754c19c8765bd8e14d458e3d7464d8eb030b46ca5b7a3eede96ab844b44b9efec23c7

Score
8/10

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 7 IoCs
  • Blacklisted process makes network request 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll,#1
      2⤵
      • Blacklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Modifies system certificate store
      PID:1260

Network

  • flag-unknown
    DNS
    support.apple.com
    Remote address:
    8.8.8.8:53
    Request
    support.apple.com
    IN A
    Response
    support.apple.com
    IN CNAME
    prod-support.apple-support.akadns.net
    prod-support.apple-support.akadns.net
    IN CNAME
    support-china.apple-support.akadns.net
    support-china.apple-support.akadns.net
    IN CNAME
    support.apple.com.edgekey.net
    support.apple.com.edgekey.net
    IN CNAME
    e2063.e9.akamaiedge.net
    e2063.e9.akamaiedge.net
    IN A
    95.100.136.17
  • flag-unknown
    GET
    https://support.apple.com/
    rundll32.exe
    Remote address:
    95.100.136.17:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Host: support.apple.com
  • flag-unknown
    DNS
    www.download.windowsupdate.com
    Remote address:
    8.8.8.8:53
    Request
    www.download.windowsupdate.com
    IN A
    Response
    www.download.windowsupdate.com
    IN CNAME
    wu-fg-shim.trafficmanager.net
    wu-fg-shim.trafficmanager.net
    IN CNAME
    2-01-3cf7-0009.cdx.cedexis.net
    2-01-3cf7-0009.cdx.cedexis.net
    IN CNAME
    wu.azureedge.net
    wu.azureedge.net
    IN CNAME
    wu.ec.azureedge.net
    wu.ec.azureedge.net
    IN CNAME
    wu.wpc.apr-52dd2.edgecastdns.net
    wu.wpc.apr-52dd2.edgecastdns.net
    IN CNAME
    hlb.apr-52dd2-0.edgecastdns.net
    hlb.apr-52dd2-0.edgecastdns.net
    IN CNAME
    cs11.wpc.v0cdn.net
    cs11.wpc.v0cdn.net
    IN A
    72.21.81.240
  • flag-unknown
    GET
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    rundll32.exe
    Remote address:
    72.21.81.240:80
    Request
    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
    Cache-Control: max-age = 3600
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Mon, 18 May 2020 02:32:26 GMT
    If-None-Match: "0597791bc2cd61:0"
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.download.windowsupdate.com
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Age: 1620
    Cache-Control: public,max-age=3600
    Content-Type: application/vnd.ms-cab-compressed
    Date: Wed, 15 Jul 2020 08:21:06 GMT
    Etag: "06e9cb2c441d61:0"
    Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
    Server: ECAcc (bsa/EAFA)
    X-Cache: HIT
    X-CCC: US
    X-CID: 11
    X-Powered-By: ASP.NET
    Content-Length: 58367
  • flag-unknown
    GET
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    rundll32.exe
    Remote address:
    72.21.81.240:80
    Request
    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
    Cache-Control: max-age = 3600
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sat, 13 Jun 2020 20:53:32 GMT
    If-None-Match: "06e9cb2c441d61:0"
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.download.windowsupdate.com
    Response
    HTTP/1.1 304 Not Modified
    Accept-Ranges: bytes
    Age: 1620
    Cache-Control: public,max-age=3600
    Date: Wed, 15 Jul 2020 08:21:06 GMT
    Etag: "06e9cb2c441d61:0"
    Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
    Server: ECAcc (bsa/EAAA)
    X-Cache: HIT
    X-CCC: US
    X-CID: 11
    X-Powered-By: ASP.NET
  • flag-unknown
    GET
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    rundll32.exe
    Remote address:
    72.21.81.240:80
    Request
    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
    Cache-Control: max-age = 3600
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sat, 13 Jun 2020 20:53:32 GMT
    If-None-Match: "06e9cb2c441d61:0"
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.download.windowsupdate.com
    Response
    HTTP/1.1 304 Not Modified
    Accept-Ranges: bytes
    Age: 1631
    Cache-Control: public,max-age=3600
    Date: Wed, 15 Jul 2020 08:21:17 GMT
    Etag: "06e9cb2c441d61:0"
    Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
    Server: ECAcc (bsa/EB75)
    X-Cache: HIT
    X-CCC: US
    X-CID: 11
    X-Powered-By: ASP.NET
  • flag-unknown
    DNS
    support.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    support.microsoft.com
    IN A
    Response
    support.microsoft.com
    IN CNAME
    ev.support.microsoft.com.edgekey.net
    ev.support.microsoft.com.edgekey.net
    IN CNAME
    e3843.g.akamaiedge.net
    e3843.g.akamaiedge.net
    IN A
    104.81.140.150
  • flag-unknown
    GET
    https://support.microsoft.com/
    rundll32.exe
    Remote address:
    104.81.140.150:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Host: support.microsoft.com
  • flag-unknown
    DNS
    ldrglobal.casa
    Remote address:
    8.8.8.8:53
    Request
    ldrglobal.casa
    IN A
    Response
    ldrglobal.casa
    IN A
    104.248.62.43
  • flag-unknown
    GET
    https://ldrglobal.casa/
    rundll32.exe
    Remote address:
    104.248.62.43:443
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Host: ldrglobal.casa
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 15 Jul 2020 08:21:18 GMT
    Content-Type: text/html
    Content-Length: 489
    Connection: keep-alive
    Last-Modified: Wed, 29 Jan 2020 08:16:06 GMT
    ETag: "5e313f46-1e9"
    Accept-Ranges: bytes
  • flag-unknown
    GET
    https://ldrglobal.casa/background.png
    rundll32.exe
    Remote address:
    104.248.62.43:443
    Request
    GET /background.png HTTP/1.1
    Connection: Keep-Alive
    Cookie: __gads=1670713949:1:113241:125:24; _gat=6.1.7601.64; _ga=1.1635.1970169159.86; _u=4156474C46455342:41646D696E; __io=21_1131729243_447456001_3632642222; _gid=529975912AA3
    Host: ldrglobal.casa
  • 95.100.136.17:443
    https://support.apple.com/
    tls, http
    rundll32.exe
    2.7kB
    111.6kB
    49
    82

    HTTP Request

    GET https://support.apple.com/
  • 72.21.81.240:80
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    http
    rundll32.exe
    2.2kB
    61.1kB
    29
    45

    HTTP Request

    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    HTTP Response

    200

    HTTP Request

    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    HTTP Response

    304

    HTTP Request

    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    HTTP Response

    304
  • 104.81.140.150:443
    https://support.microsoft.com/
    tls, http
    rundll32.exe
    3.9kB
    173.2kB
    75
    131

    HTTP Request

    GET https://support.microsoft.com/
  • 104.248.62.43:443
    https://ldrglobal.casa/background.png
    tls, http
    rundll32.exe
    6.3kB
    326.7kB
    123
    236

    HTTP Request

    GET https://ldrglobal.casa/

    HTTP Response

    200

    HTTP Request

    GET https://ldrglobal.casa/background.png
  • 8.8.8.8:53
    support.apple.com
    dns
    63 B
    232 B
    1
    1

    DNS Request

    support.apple.com

    DNS Response

    95.100.136.17

  • 8.8.8.8:53
    www.download.windowsupdate.com
    dns
    76 B
    325 B
    1
    1

    DNS Request

    www.download.windowsupdate.com

    DNS Response

    72.21.81.240

  • 8.8.8.8:53
    support.microsoft.com
    dns
    67 B
    166 B
    1
    1

    DNS Request

    support.microsoft.com

    DNS Response

    104.81.140.150

  • 8.8.8.8:53
    ldrglobal.casa
    dns
    60 B
    76 B
    1
    1

    DNS Request

    ldrglobal.casa

    DNS Response

    104.248.62.43

  • 239.255.255.250:1900
    966 B
    6
  • 239.255.255.250:1900

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.