b97cc0d33b7a728206da8f7b3b46bdf383cab4999db18fb11bda86c4a16c6fa9 | Triage

Analysis

max time kernel
129s
max time network
75s
platform
windows10_x64
resource
win10v200430
submitted
17/07/2020, 07:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IcedID.dll
Size

204KB
MD5

d966d5b7e8f66c536b2b8934e6231ba8
SHA1

276b93b5a9a4d736ab00256f33fe3991bc772d8d
SHA256

b97cc0d33b7a728206da8f7b3b46bdf383cab4999db18fb11bda86c4a16c6fa9
SHA512

3bf18d07769fed0ddcc241a5b931b87c6a4429041ffcb9d524723a80589135ebbcbe0310af5a477de92a0fa6aab65f5be58d9c7ee67f555a04fdb6e009a013f3

Score

8^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 4028	1600	rundll32.exe	68
PID 1600 wrote to memory of 4028	1600	rundll32.exe	68
PID 1600 wrote to memory of 4028	1600	rundll32.exe	68

Blacklisted process makes network request 11 IoCs

flow	pid	Process
5	4028	rundll32.exe
9	4028	rundll32.exe
10	4028	rundll32.exe
12	4028	rundll32.exe
14	4028	rundll32.exe
16	4028	rundll32.exe
18	4028	rundll32.exe
20	4028	rundll32.exe
22	4028	rundll32.exe
24	4028	rundll32.exe
26	4028	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4028	rundll32.exe
4028	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IcedID.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\IcedID.dll,#1
  2⤵
  - Blacklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads