Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 14:04
Static task
static1
Behavioral task
behavioral1
Sample
22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll
-
Size
224KB
-
MD5
27330976e897b20cce8347152eac445a
-
SHA1
5827bcd96ea651b43ec0fabd84240c53ed9752bf
-
SHA256
22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3
-
SHA512
e45be7fe6b50893e9bb26e5d7deac0a6c2df1920056f34e81a90eb5744b8a544860285fbcd9a4df5a6b18de3ecf22b5bbedcaea759967802584807ef6643ab56
Malware Config
Extracted
Family
icedid
C2
loadberlin.casa
Signatures
-
IcedID First Stage Loader 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4600-131-0x0000000074BC0000-0x0000000074BC6000-memory.dmp IcedidFirstLoader behavioral2/memory/4600-132-0x0000000074BC0000-0x0000000074C04000-memory.dmp IcedidFirstLoader -
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exeflow pid process 58 4600 rundll32.exe 59 4600 rundll32.exe 61 4600 rundll32.exe 70 4600 rundll32.exe 74 4600 rundll32.exe 76 4600 rundll32.exe 78 4600 rundll32.exe 80 4600 rundll32.exe 82 4600 rundll32.exe 84 4600 rundll32.exe 87 4600 rundll32.exe 89 4600 rundll32.exe 91 4600 rundll32.exe 93 4600 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4664 wrote to memory of 4600 4664 rundll32.exe rundll32.exe PID 4664 wrote to memory of 4600 4664 rundll32.exe rundll32.exe PID 4664 wrote to memory of 4600 4664 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\22015e9ad69ee50307e6eb4484181196070e36ab9fb46f5c8f883ffeffaa60e3.dll,#12⤵
- Blocklisted process makes network request