Analysis
-
max time kernel
68s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
15-07-2020 08:20
Static task
static1
Behavioral task
behavioral1
Sample
2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll
-
Size
159KB
-
MD5
df13fa6863bf439d737c01966b487e69
-
SHA1
c2b99b05a4dd23c3cf96f9e23a5f8c88ab89763f
-
SHA256
a421e1ac6cd39b7709d8929329b2135cb0f1eaea48edc296d03f0b3f41058282
-
SHA512
0e583fa19b144df61a7c72793a06773226b36eddbf2587ab5c6c7c68210754c19c8765bd8e14d458e3d7464d8eb030b46ca5b7a3eede96ab844b44b9efec23c7
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 PID 1296 wrote to memory of 1260 1296 rundll32.exe 24 -
Blacklisted process makes network request 4 IoCs
flow pid Process 2 1260 rundll32.exe 4 1260 rundll32.exe 6 1260 rundll32.exe 8 1260 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1260 rundll32.exe 1260 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-14-DLL-for-IcedID-installer-example-07-of-18.bin.dll,#12⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
PID:1260
-
Network
-
Remote address:8.8.8.8:53Requestsupport.apple.comIN AResponsesupport.apple.comIN CNAMEprod-support.apple-support.akadns.netprod-support.apple-support.akadns.netIN CNAMEsupport-china.apple-support.akadns.netsupport-china.apple-support.akadns.netIN CNAMEsupport.apple.com.edgekey.netsupport.apple.com.edgekey.netIN CNAMEe2063.e9.akamaiedge.nete2063.e9.akamaiedge.netIN A95.100.136.17
-
Remote address:95.100.136.17:443RequestGET / HTTP/1.1
Connection: Keep-Alive
Host: support.apple.com
-
Remote address:8.8.8.8:53Requestwww.download.windowsupdate.comIN AResponsewww.download.windowsupdate.comIN CNAMEwu-fg-shim.trafficmanager.netwu-fg-shim.trafficmanager.netIN CNAME2-01-3cf7-0009.cdx.cedexis.net2-01-3cf7-0009.cdx.cedexis.netIN CNAMEwu.azureedge.netwu.azureedge.netIN CNAMEwu.ec.azureedge.netwu.ec.azureedge.netIN CNAMEwu.wpc.apr-52dd2.edgecastdns.netwu.wpc.apr-52dd2.edgecastdns.netIN CNAMEhlb.apr-52dd2-0.edgecastdns.nethlb.apr-52dd2-0.edgecastdns.netIN CNAMEcs11.wpc.v0cdn.netcs11.wpc.v0cdn.netIN A72.21.81.240
-
GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabrundll32.exeRemote address:72.21.81.240:80RequestGET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 18 May 2020 02:32:26 GMT
If-None-Match: "0597791bc2cd61:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
ResponseHTTP/1.1 200 OK
Age: 1620
Cache-Control: public,max-age=3600
Content-Type: application/vnd.ms-cab-compressed
Date: Wed, 15 Jul 2020 08:21:06 GMT
Etag: "06e9cb2c441d61:0"
Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
Server: ECAcc (bsa/EAFA)
X-Cache: HIT
X-CCC: US
X-CID: 11
X-Powered-By: ASP.NET
Content-Length: 58367
-
GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabrundll32.exeRemote address:72.21.81.240:80RequestGET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 13 Jun 2020 20:53:32 GMT
If-None-Match: "06e9cb2c441d61:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
ResponseHTTP/1.1 304 Not Modified
Age: 1620
Cache-Control: public,max-age=3600
Date: Wed, 15 Jul 2020 08:21:06 GMT
Etag: "06e9cb2c441d61:0"
Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
Server: ECAcc (bsa/EAAA)
X-Cache: HIT
X-CCC: US
X-CID: 11
X-Powered-By: ASP.NET
-
GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabrundll32.exeRemote address:72.21.81.240:80RequestGET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 13 Jun 2020 20:53:32 GMT
If-None-Match: "06e9cb2c441d61:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
ResponseHTTP/1.1 304 Not Modified
Age: 1631
Cache-Control: public,max-age=3600
Date: Wed, 15 Jul 2020 08:21:17 GMT
Etag: "06e9cb2c441d61:0"
Last-Modified: Sat, 13 Jun 2020 20:53:32 GMT
Server: ECAcc (bsa/EB75)
X-Cache: HIT
X-CCC: US
X-CID: 11
X-Powered-By: ASP.NET
-
Remote address:8.8.8.8:53Requestsupport.microsoft.comIN AResponsesupport.microsoft.comIN CNAMEev.support.microsoft.com.edgekey.netev.support.microsoft.com.edgekey.netIN CNAMEe3843.g.akamaiedge.nete3843.g.akamaiedge.netIN A104.81.140.150
-
Remote address:104.81.140.150:443RequestGET / HTTP/1.1
Connection: Keep-Alive
Host: support.microsoft.com
-
Remote address:8.8.8.8:53Requestldrglobal.casaIN AResponseldrglobal.casaIN A104.248.62.43
-
Remote address:104.248.62.43:443RequestGET / HTTP/1.1
Connection: Keep-Alive
Host: ldrglobal.casa
ResponseHTTP/1.1 200 OK
Date: Wed, 15 Jul 2020 08:21:18 GMT
Content-Type: text/html
Content-Length: 489
Connection: keep-alive
Last-Modified: Wed, 29 Jan 2020 08:16:06 GMT
ETag: "5e313f46-1e9"
Accept-Ranges: bytes
-
Remote address:104.248.62.43:443RequestGET /background.png HTTP/1.1
Connection: Keep-Alive
Cookie: __gads=1670713949:1:113241:125:24; _gat=6.1.7601.64; _ga=1.1635.1970169159.86; _u=4156474C46455342:41646D696E; __io=21_1131729243_447456001_3632642222; _gid=529975912AA3
Host: ldrglobal.casa
-
2.7kB 111.6kB 49 82
HTTP Request
GET https://support.apple.com/ -
72.21.81.240:80http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabhttprundll32.exe2.2kB 61.1kB 29 45
HTTP Request
GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabHTTP Response
200HTTP Request
GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabHTTP Response
304HTTP Request
GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabHTTP Response
304 -
3.9kB 173.2kB 75 131
HTTP Request
GET https://support.microsoft.com/ -
6.3kB 326.7kB 123 236
HTTP Request
GET https://ldrglobal.casa/HTTP Response
200HTTP Request
GET https://ldrglobal.casa/background.png
-
63 B 232 B 1 1
DNS Request
support.apple.com
DNS Response
95.100.136.17
-
76 B 325 B 1 1
DNS Request
www.download.windowsupdate.com
DNS Response
72.21.81.240
-
67 B 166 B 1 1
DNS Request
support.microsoft.com
DNS Response
104.81.140.150
-
60 B 76 B 1 1
DNS Request
ldrglobal.casa
DNS Response
104.248.62.43
-
966 B 6
-