Analysis
-
max time kernel
4294212s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 09:52
Static task
static1
Behavioral task
behavioral1
Sample
20fbdedfeb0334ad02265234f4defe6e43944566d02be150df9acd3aed899938.dll
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
20fbdedfeb0334ad02265234f4defe6e43944566d02be150df9acd3aed899938.dll
-
Size
310KB
-
MD5
b964bdec89766866acda5b520bd9e3d2
-
SHA1
8071c747c8cd7524441fdc88f21acb999a3af68a
-
SHA256
20fbdedfeb0334ad02265234f4defe6e43944566d02be150df9acd3aed899938
-
SHA512
7b689347b680be1d56a09b04c73f6df95dd33590d040b6e543bb5ddb94b7177b63918a1b23ba4b6b1418b7131dd569f0cb8330301bfec22920f2d626133170ad
Malware Config
Extracted
Family
icedid
C2
revopilte3.club
aweragiprooslk.cyou
Signatures
-
IcedID Second Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral1/memory/572-57-0x00000000744B0000-0x00000000744B6000-memory.dmp IcedidSecondLoader behavioral1/memory/572-58-0x00000000744B0000-0x000000007450C000-memory.dmp IcedidSecondLoader -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe PID 1504 wrote to memory of 572 1504 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\20fbdedfeb0334ad02265234f4defe6e43944566d02be150df9acd3aed899938.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\20fbdedfeb0334ad02265234f4defe6e43944566d02be150df9acd3aed899938.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-55-0x0000000000000000-mapping.dmp
-
memory/572-56-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/572-57-0x00000000744B0000-0x00000000744B6000-memory.dmpFilesize
24KB
-
memory/572-58-0x00000000744B0000-0x000000007450C000-memory.dmpFilesize
368KB
-
memory/1504-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB