Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 10:45
Static task
static1
Behavioral task
behavioral1
Sample
3.dll
Resource
win7-en-20211208
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3.dll
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
3.dll
-
Size
569KB
-
MD5
eda4e741af2c0316ee18ad2651059d92
-
SHA1
5bd12244ddb2e6fde14bc67a66ef8d287e37a0d1
-
SHA256
50165bf93643c3ee448eb480217442f19567918b7ea98722bb404e7fea558a2b
-
SHA512
6268417a843c9a815fa49c1ed41a8736669f4ad47314a84b67c8eb70843b041b8925b839ec557315f576e603c8bef63664c7ac0d3fc06378a13d7c8f09489d55
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
3825802847
C2
cleverballs.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 268 964 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeWerFault.exepid process 964 regsvr32.exe 964 regsvr32.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 268 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 964 wrote to memory of 268 964 regsvr32.exe WerFault.exe PID 964 wrote to memory of 268 964 regsvr32.exe WerFault.exe PID 964 wrote to memory of 268 964 regsvr32.exe WerFault.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\3.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 964 -s 2442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken