Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-04-2022 13:32
Static task
static1
Behavioral task
behavioral1
Sample
a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll
-
Size
224KB
-
MD5
31d6b2d7cc812cad6fc40112a225f58f
-
SHA1
3b8341f4341cf37f39f5676fcab30622063f3d65
-
SHA256
a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f
-
SHA512
8557618f1584602cfb167b0df9c717d71c218ed594bcdc9e7097c84edf12685dc403ef9b529f0143256d183d93591a3967b48da902db78a2c69c0ea7e397eb4d
Malware Config
Extracted
Family
icedid
C2
loadberlin.casa
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1808-131-0x00000000749F0000-0x00000000749F6000-memory.dmp IcedidFirstLoader behavioral2/memory/1808-132-0x00000000749F0000-0x0000000074A34000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 15 1808 rundll32.exe 16 1808 rundll32.exe 18 1808 rundll32.exe 31 1808 rundll32.exe 36 1808 rundll32.exe 42 1808 rundll32.exe 44 1808 rundll32.exe 46 1808 rundll32.exe 48 1808 rundll32.exe 50 1808 rundll32.exe 55 1808 rundll32.exe 57 1808 rundll32.exe 61 1808 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4432 wrote to memory of 1808 4432 rundll32.exe rundll32.exe PID 4432 wrote to memory of 1808 4432 rundll32.exe rundll32.exe PID 4432 wrote to memory of 1808 4432 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a1f7ff78e3d5ee0fc22701dc3670c2d57caaa9bb06b5681c8b6273f846dc626f.dll,#12⤵
- Blocklisted process makes network request