Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-04-2022 16:31
Static task
static1
Behavioral task
behavioral1
Sample
46b9f98c5b291d76ba91e43e5d8a980ab1ea24e62da044fa5173f42950bda0f1.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
46b9f98c5b291d76ba91e43e5d8a980ab1ea24e62da044fa5173f42950bda0f1.dll
-
Size
278KB
-
MD5
ed0848e23ab64f82bb5196da308c6b6f
-
SHA1
cef4b3dacef49c0d3c9cc49a23a9c11401277e54
-
SHA256
46b9f98c5b291d76ba91e43e5d8a980ab1ea24e62da044fa5173f42950bda0f1
-
SHA512
44ed59fdd711cedb84ee4bbe5a6c9f7d095830f4a6e54f513fd675a0ec3bf30c4fc262b8aa6efae0081c9748090c91e0bc57fcfa24600e0a4460bbc7db634b7d
Malware Config
Extracted
Family
icedid
C2
kravynolu.cyou
nikushotomo.cyou
Signatures
-
IcedID Second Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral1/memory/288-56-0x0000000074650000-0x0000000074656000-memory.dmp IcedidSecondLoader behavioral1/memory/288-57-0x0000000074650000-0x00000000746A3000-memory.dmp IcedidSecondLoader -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 288 1880 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46b9f98c5b291d76ba91e43e5d8a980ab1ea24e62da044fa5173f42950bda0f1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46b9f98c5b291d76ba91e43e5d8a980ab1ea24e62da044fa5173f42950bda0f1.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-54-0x0000000000000000-mapping.dmp
-
memory/288-55-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/288-56-0x0000000074650000-0x0000000074656000-memory.dmpFilesize
24KB
-
memory/288-57-0x0000000074650000-0x00000000746A3000-memory.dmpFilesize
332KB