Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 14:04
Static task
static1
Behavioral task
behavioral1
Sample
22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll
-
Size
224KB
-
MD5
27330976e897b20cce8347152eac445a
-
SHA1
5827bcd96ea651b43ec0fabd84240c53ed9752bf
-
SHA256
22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3
-
SHA512
e45be7fe6b50893e9bb26e5d7deac0a6c2df1920056f34e81a90eb5744b8a544860285fbcd9a4df5a6b18de3ecf22b5bbedcaea759967802584807ef6643ab56
Malware Config
Extracted
Family
icedid
C2
loadberlin.casa
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-56-0x0000000075120000-0x0000000075126000-memory.dmp IcedidFirstLoader behavioral1/memory/1620-57-0x0000000075120000-0x0000000075164000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 18 IoCs
Processes:
rundll32.exeflow pid process 3 1620 rundll32.exe 4 1620 rundll32.exe 6 1620 rundll32.exe 8 1620 rundll32.exe 10 1620 rundll32.exe 11 1620 rundll32.exe 13 1620 rundll32.exe 14 1620 rundll32.exe 16 1620 rundll32.exe 17 1620 rundll32.exe 21 1620 rundll32.exe 22 1620 rundll32.exe 24 1620 rundll32.exe 25 1620 rundll32.exe 27 1620 rundll32.exe 28 1620 rundll32.exe 29 1620 rundll32.exe 30 1620 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1620 1672 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1620-54-0x0000000000000000-mapping.dmp
-
memory/1620-55-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1620-56-0x0000000075120000-0x0000000075126000-memory.dmpFilesize
24KB
-
memory/1620-57-0x0000000075120000-0x0000000075164000-memory.dmpFilesize
272KB