Analysis
-
max time kernel
780s -
max time network
1581s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
20-06-2022 19:15
Static task
static1
General
-
Target
NCwXdqaN.dll
-
Size
649KB
-
MD5
dfbb1127fc30a15f8769085216c85709
-
SHA1
a6271f1935f98209e5a6d5364f52c3eae1de00f6
-
SHA256
052d37a666116008895fa77490ae8249adb74fa9fff4c1e821aaed9dd3f2acb5
-
SHA512
9c847477be339fcec98b8e0cfc38eb8734e51516f67f791e5911c577e5e66eeac873ece047185c6ad431f01b98ba9a407e48eb428a5a9bad09ced10d679bd482
Malware Config
Extracted
Family
icedid
Campaign
3400213397
C2
coolnexoz.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 3 3032 rundll32.exe 8 3032 rundll32.exe 9 3032 rundll32.exe 10 3032 rundll32.exe 11 3032 rundll32.exe 17 3032 rundll32.exe 20 3032 rundll32.exe 21 3032 rundll32.exe 22 3032 rundll32.exe 23 3032 rundll32.exe 25 3032 rundll32.exe 26 3032 rundll32.exe 27 3032 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exerundll32.exepid process 3820 powershell.exe 3820 powershell.exe 3820 powershell.exe 3032 rundll32.exe 3032 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3820 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.execmd.exedescription pid process target process PID 3820 wrote to memory of 1164 3820 powershell.exe cmd.exe PID 3820 wrote to memory of 1164 3820 powershell.exe cmd.exe PID 1164 wrote to memory of 3032 1164 cmd.exe rundll32.exe PID 1164 wrote to memory of 3032 1164 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NCwXdqaN.dll,#11⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 NCwXdqaN.dll,#83⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1164-169-0x0000000000000000-mapping.dmp
-
memory/3032-172-0x0000000000000000-mapping.dmp
-
memory/3032-173-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3820-121-0x000001522C5B0000-0x000001522C5D2000-memory.dmpFilesize
136KB
-
memory/3820-142-0x000001522CB60000-0x000001522CB9C000-memory.dmpFilesize
240KB
-
memory/3820-153-0x000001522CC20000-0x000001522CC96000-memory.dmpFilesize
472KB