Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-04-2022 07:05
Static task
static1
Behavioral task
behavioral1
Sample
280e6951e877b078877f203f95d746e901bb05a8da57a6402f98859d72069693.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
280e6951e877b078877f203f95d746e901bb05a8da57a6402f98859d72069693.dll
-
Size
185KB
-
MD5
6aab62cb31a02543cf3a1be0fa25c8c8
-
SHA1
63b07c2d67b6c8f67499b8c5554949a9a8cce703
-
SHA256
280e6951e877b078877f203f95d746e901bb05a8da57a6402f98859d72069693
-
SHA512
f1a4363775bd02aafd8ac75a88678c55e3687000c3a23ea726ee6632f0672d4b301b6d2ee1db7256dedfd8364fffdb24ad7cf6bbd36f6888db2a52c879e32358
Malware Config
Extracted
Family
icedid
C2
june85.cyou
golddisco.top
Signatures
-
IcedID Second Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3784-131-0x0000000075010000-0x0000000075016000-memory.dmp IcedidSecondLoader behavioral2/memory/3784-132-0x0000000075010000-0x000000007504E000-memory.dmp IcedidSecondLoader -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{28979DCC-E619-444D-81D1-E472EE35EA0A}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BD525D5F-01A6-49E4-9B68-6C4CA6BC40F2}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3768 wrote to memory of 3784 3768 rundll32.exe rundll32.exe PID 3768 wrote to memory of 3784 3768 rundll32.exe rundll32.exe PID 3768 wrote to memory of 3784 3768 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\280e6951e877b078877f203f95d746e901bb05a8da57a6402f98859d72069693.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\280e6951e877b078877f203f95d746e901bb05a8da57a6402f98859d72069693.dll,#12⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry