Analysis
-
max time kernel
259s -
max time network
293s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2022 10:53
Static task
static1
Behavioral task
behavioral1
Sample
desktop.dll
Resource
win7-20220812-en
windows7-x64
6 signatures
300 seconds
Behavioral task
behavioral2
Sample
desktop.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
300 seconds
General
-
Target
desktop.dll
-
Size
970KB
-
MD5
ceff6af77b601a27ca158462b3951161
-
SHA1
0828a0b516ded5351bc7c8059f043901c195d4c2
-
SHA256
4a78df270fc9b84c19ddcd0896d7147ae0e4aad88613cd49b350dbd75f04ef25
-
SHA512
62720697fd8c6deb147f18681d4e6b0a95b004d05c50f981b18acb5410dd0c07bf37e27417db76a73eea64ced6adee50402caba549a8c2c3930e0ddac6123b9f
-
SSDEEP
12288:xfbX8ei68nEXe963zTnecHZ4ke7i2G1CnL180bn2ONRj1LEkuUkkSgXOcLUjqI9u:hb8e1e96Pef7k0bNRjpB4dPURaSh
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
2302411646
C2
klepdrafooip.com
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 57 2436 rundll32.exe 74 2436 rundll32.exe 75 2436 rundll32.exe 79 2436 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4904 4652 WerFault.exe rundll32.exe -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2436 rundll32.exe 2436 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1240 wrote to memory of 2436 1240 cmd.exe rundll32.exe PID 1240 wrote to memory of 2436 1240 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop.dll,#11⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4652 -s 3282⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 4652 -ip 46521⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\System32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\desktop.dll,init2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses