Analysis
-
max time kernel
580s -
max time network
619s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
15-06-2022 23:50
Static task
static1
General
-
Target
3203.dll
-
Size
807KB
-
MD5
63b610a3a9006160e270f8e7ad0db03f
-
SHA1
d1dc6ab79aa4b5affcd13cc876bcc60bac9b45d4
-
SHA256
a746ab385c513d0f73076ed4f83ac9e4e286ca7a8e5d6a5a4f0062026039b265
-
SHA512
0f440abc39352c077bcdc899872ddea2c0069c173d028fda5e0b790f6a8b4aba2eca0fd557c5b6e1d2e645e90a3c883bc664308886ff6c2b371ea59e6b10cd28
Malware Config
Extracted
Family
icedid
Campaign
260931076
C2
ilekvoyn.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 3 1304 rundll32.exe 8 1304 rundll32.exe 9 1304 rundll32.exe 10 1304 rundll32.exe 17 1304 rundll32.exe 18 1304 rundll32.exe 19 1304 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exerundll32.exepid process 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 1304 rundll32.exe 1304 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2172 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 1304 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.execmd.exedescription pid process target process PID 2172 wrote to memory of 4568 2172 powershell.exe cmd.exe PID 2172 wrote to memory of 4568 2172 powershell.exe cmd.exe PID 4568 wrote to memory of 1304 4568 cmd.exe rundll32.exe PID 4568 wrote to memory of 1304 4568 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3203.dll,#11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 3203.dll,RunObject3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-171-0x0000000000000000-mapping.dmp
-
memory/1304-172-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2172-122-0x000002A7DBED0000-0x000002A7DBEF2000-memory.dmpFilesize
136KB
-
memory/2172-141-0x000002A7DBF40000-0x000002A7DBF7C000-memory.dmpFilesize
240KB
-
memory/2172-152-0x000002A7DC590000-0x000002A7DC606000-memory.dmpFilesize
472KB
-
memory/4568-168-0x0000000000000000-mapping.dmp