Analysis
-
max time kernel
4294179s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
23-03-2022 18:23
Static task
static1
Behavioral task
behavioral1
Sample
dar.dll
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
dar.dll
-
Size
142KB
-
MD5
1469ce7ec910ec525d86acbc5cee9858
-
SHA1
5339edc96e8071258c0615b2de09df40ac79a8dc
-
SHA256
17aeebe6c1098a312074b0fdeae6f97339f2d64d66a2b07496bfc1373694a4e3
-
SHA512
6785695744c06594e6651a601710a48e54a744333bd3d1e39f3bed1408d8d0a8e91229fc79ee453fc7feed1bfe8e01a4aef91237e742b98b416c39e1788d144a
Malware Config
Extracted
Family
icedid
Campaign
429479428
C2
arelyevennot.top
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 468 1888 WerFault.exe regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1888 regsvr32.exe 1888 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1888 wrote to memory of 468 1888 regsvr32.exe WerFault.exe PID 1888 wrote to memory of 468 1888 regsvr32.exe WerFault.exe PID 1888 wrote to memory of 468 1888 regsvr32.exe WerFault.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\dar.dll1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1888 -s 2442⤵
- Program crash