Analysis
-
max time kernel
160s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-04-2022 07:05
Static task
static1
Behavioral task
behavioral1
Sample
75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll
-
Size
625KB
-
MD5
f446cbf6a507d8d40677b846671a85ab
-
SHA1
48a13826bd7e3ba6a24abadcf3ae4dcfcdd09d43
-
SHA256
75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e
-
SHA512
cf41217e8ebf8dd4707db07759e67bcce4af3cd87228d11c5645b7df97b342a419ff0050ec1d65a1ec01467c80d32acfc1ebe60249d94809711d9164feaf0b03
Malware Config
Extracted
Family
icedid
C2
flathommy.top
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3264-131-0x00000000747E0000-0x00000000747E6000-memory.dmp IcedidFirstLoader behavioral2/memory/3264-132-0x00000000747E0000-0x0000000074D81000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exeflow pid process 7 3264 rundll32.exe 9 3264 rundll32.exe 11 3264 rundll32.exe 13 3264 rundll32.exe 15 3264 rundll32.exe 16 3264 rundll32.exe 18 3264 rundll32.exe 20 3264 rundll32.exe 22 3264 rundll32.exe 25 3264 rundll32.exe 27 3264 rundll32.exe 29 3264 rundll32.exe 32 3264 rundll32.exe 34 3264 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2036 wrote to memory of 3264 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 3264 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 3264 2036 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75aa737c57170f7fbe485ffcdb1cfd3e850f28470085725800f8cb173231ab9e.dll,#12⤵
- Blocklisted process makes network request