Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 07:05
Static task
static1
Behavioral task
behavioral1
Sample
75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll
-
Size
625KB
-
MD5
f446cbf6a507d8d40677b846671a85ab
-
SHA1
48a13826bd7e3ba6a24abadcf3ae4dcfcdd09d43
-
SHA256
75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e
-
SHA512
cf41217e8ebf8dd4707db07759e67bcce4af3cd87228d11c5645b7df97b342a419ff0050ec1d65a1ec01467c80d32acfc1ebe60249d94809711d9164feaf0b03
Malware Config
Extracted
Family
icedid
C2
flathommy.top
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-56-0x0000000073E50000-0x0000000073E56000-memory.dmp IcedidFirstLoader behavioral1/memory/1292-57-0x0000000073E50000-0x00000000743F1000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 18 IoCs
Processes:
rundll32.exeflow pid process 3 1292 rundll32.exe 4 1292 rundll32.exe 6 1292 rundll32.exe 7 1292 rundll32.exe 9 1292 rundll32.exe 10 1292 rundll32.exe 12 1292 rundll32.exe 13 1292 rundll32.exe 17 1292 rundll32.exe 19 1292 rundll32.exe 21 1292 rundll32.exe 22 1292 rundll32.exe 24 1292 rundll32.exe 25 1292 rundll32.exe 27 1292 rundll32.exe 28 1292 rundll32.exe 29 1292 rundll32.exe 30 1292 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe PID 836 wrote to memory of 1292 836 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-54-0x0000000000000000-mapping.dmp
-
memory/1292-55-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1292-56-0x0000000073E50000-0x0000000073E56000-memory.dmpFilesize
24KB
-
memory/1292-57-0x0000000073E50000-0x00000000743F1000-memory.dmpFilesize
5.6MB