Analysis

  • max time kernel
    90s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 08:44

General

  • Target

    67299ce0f6644ec5c4bc807f6cd5683b1755ca61f14ae4df0d34465801541e99.dll

  • Size

    102KB

  • MD5

    d6530ccbe6ba26ed6370aaa072e4dad0

  • SHA1

    16955a712ed799dc8df9e7f4b21272f3760cba39

  • SHA256

    67299ce0f6644ec5c4bc807f6cd5683b1755ca61f14ae4df0d34465801541e99

  • SHA512

    f8a67d337b4c108eddb1fd5f6a7d399b08dd3ccd0f36335ad4bc6a1b5e2293b3fe0ab3af3d50c8830b6f7ff1eb885bcbeb38b36aa200f3cc4dd8097357727a01

Malware Config

Extracted

Family

icedid

Campaign

2745070743

C2

cootembrast.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\67299ce0f6644ec5c4bc807f6cd5683b1755ca61f14ae4df0d34465801541e99.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    PID:4380
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 420 -p 4168 -ip 4168
    1⤵
      PID:888
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4168 -s 1760
      1⤵
      • Program crash
      PID:4392

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4380-130-0x0000000180000000-0x0000000180009000-memory.dmp

            Filesize

            36KB