Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll
-
Size
224KB
-
MD5
31d6b2d7cc812cad6fc40112a225f58f
-
SHA1
3b8341f4341cf37f39f5676fcab30622063f3d65
-
SHA256
a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f
-
SHA512
8557618f1584602cfb167b0df9c717d71c218ed594bcdc9e7097c84edf12685dc403ef9b529f0143256d183d93591a3967b48da902db78a2c69c0ea7e397eb4d
Malware Config
Extracted
Family
icedid
C2
loadberlin.casa
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-56-0x0000000074DC0000-0x0000000074DC6000-memory.dmp IcedidFirstLoader behavioral1/memory/1712-57-0x0000000074DC0000-0x0000000074E04000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 20 IoCs
Processes:
rundll32.exeflow pid process 3 1712 rundll32.exe 4 1712 rundll32.exe 6 1712 rundll32.exe 8 1712 rundll32.exe 10 1712 rundll32.exe 11 1712 rundll32.exe 13 1712 rundll32.exe 14 1712 rundll32.exe 16 1712 rundll32.exe 17 1712 rundll32.exe 21 1712 rundll32.exe 22 1712 rundll32.exe 24 1712 rundll32.exe 25 1712 rundll32.exe 27 1712 rundll32.exe 28 1712 rundll32.exe 30 1712 rundll32.exe 31 1712 rundll32.exe 33 1712 rundll32.exe 34 1712 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 1712 384 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1712-54-0x0000000000000000-mapping.dmp
-
memory/1712-55-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/1712-56-0x0000000074DC0000-0x0000000074DC6000-memory.dmpFilesize
24KB
-
memory/1712-57-0x0000000074DC0000-0x0000000074E04000-memory.dmpFilesize
272KB