Analysis
-
max time kernel
90s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2022, 20:15
Static task
static1
Behavioral task
behavioral1
Sample
file/a4lomar.dll
Resource
win7-20220718-en
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
file/a4lomar.dll
Resource
win10v2004-20220721-en
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
file/start.bat
Resource
win7-20220718-en
5 signatures
150 seconds
General
-
Target
file/start.bat
-
Size
50B
-
MD5
95ccdd55afd7913a178668f4474090f9
-
SHA1
f0d6c2fab07e4e2f85ee8527af6d288bc3c2c4e9
-
SHA256
a93be9c38831a9dad47aeeb1e249e40438ca55a9dcb739885d81e247d5b2634a
-
SHA512
e33b67eec13706ff3eb40534d6ed246551a8b56a7c19b8af2619faccca2f60dcdf6843324ad6a16dfa9bd2921d901a3d845d9128e77b9a4411ce34590dc63983
Malware Config
Extracted
Family
icedid
Campaign
312921187
C2
explorblins.com
Signatures
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1412 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1412 rundll32.exe 1412 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4556 wrote to memory of 1412 4556 cmd.exe 80 PID 4556 wrote to memory of 1412 4556 cmd.exe 80
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file\start.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system32\rundll32.exerundll32.exe .\a4lomar.dll,PluginInit2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1412
-