Analysis
-
max time kernel
82s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 15:16
Static task
static1
Behavioral task
behavioral1
Sample
d5492f1f005387e006dabd54253570e7.dll
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
d5492f1f005387e006dabd54253570e7.dll
-
Size
143KB
-
MD5
5802126f64e5edfee61f5c5b987c9dec
-
SHA1
bb9c06fef95abfd6a3bdf5474558d8916a901301
-
SHA256
1430b28b39a4f495c8a88aeb49ca5b843078704d740e9860e9a0a87e2154655d
-
SHA512
37f00db410b0ce0082d195b9820a5b58b580c8ac684f49ef0bd0d870140a84a09d1f9279564d41bc16718a035931faee7c60e394a5f1db9f6b0107a64f662b88
Malware Config
Signatures
-
IcedID Core Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4060-1-0x0000000004B50000-0x0000000004BF6000-memory.dmp Icedid_core -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 16 4060 rundll32.exe 18 4060 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4004 wrote to memory of 4060 4004 rundll32.exe rundll32.exe PID 4004 wrote to memory of 4060 4004 rundll32.exe rundll32.exe PID 4004 wrote to memory of 4060 4004 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d5492f1f005387e006dabd54253570e7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d5492f1f005387e006dabd54253570e7.dll,#12⤵
- Blocklisted process makes network request