Analysis
-
max time kernel
3s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 14:42
Static task
static1
Behavioral task
behavioral1
Sample
b63e3ccc1accb0fde3af7bcfbd0554d3.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
b63e3ccc1accb0fde3af7bcfbd0554d3.dll
-
Size
1.4MB
-
MD5
b63e3ccc1accb0fde3af7bcfbd0554d3
-
SHA1
6a6cf5af326f2ae625b97cb3658366d45608e6b9
-
SHA256
0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75
-
SHA512
51dfced4855cc288132e20879e8dc9c8626b6ea5ec71b9ded9be9ab01b8e77c3bdedc817dfde9a456aa957e32f8e9dac6c7640b86facd7429d549d3279ead17b
Malware Config
Extracted
Family
icedid
Campaign
3109461289
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Processes:
resource yara_rule behavioral1/memory/1924-3-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmp themida behavioral1/memory/1924-4-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 1924 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1924 regsvr32.exe 1924 regsvr32.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1924-2-0x000007FEFC021000-0x000007FEFC023000-memory.dmpFilesize
8KB
-
memory/1924-3-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmpFilesize
4.9MB
-
memory/1924-4-0x000007FEF62D0000-0x000007FEF67BF000-memory.dmpFilesize
4.9MB
-
memory/1924-5-0x000007FEF62D1000-0x000007FEF62D3000-memory.dmpFilesize
8KB