Analysis
-
max time kernel
297s -
max time network
301s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 19:19
Static task
static1
Behavioral task
behavioral1
Sample
IcedID.dll
Resource
win7-20220812-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
IcedID.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
300 seconds
General
-
Target
IcedID.dll
-
Size
310KB
-
MD5
c15f522222532867ad56db6def0b7ab0
-
SHA1
5556431bbd2fc48cb04a7e34ec037ddf5fb73de2
-
SHA256
fbb09d953c06b75882193e0b4916e8df7f39e5f9591dca2d621c9670a1b3c4f7
-
SHA512
85c557011e006ff7145085fdd63c92cacc70d06f26d11c6e0cbe4fdfdbb88f7a8bd3a02836c322fc79e6da38a857df776290444cddb4cab9ca1faa5ab0829945
-
SSDEEP
6144:bU7KTvQXacSovAunJ6dHbCVZlWXYqvEYsZN6b7UMMPr+6O3bB92o:bUOglSAJ6dHbyZlWXYqvmZ0b7Um6MB9V
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
1164203100
C2
blodwarstayed.com
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 4 1688 rundll32.exe 5 1688 rundll32.exe 6 1688 rundll32.exe 7 1688 rundll32.exe 8 1688 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1688 rundll32.exe 1688 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 960 wrote to memory of 1688 960 cmd.exe rundll32.exe PID 960 wrote to memory of 1688 960 cmd.exe rundll32.exe PID 960 wrote to memory of 1688 960 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\IcedID.dll,#11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\System32\rundll32.exerundll32.exe c:\Users\Admin\AppData\Local\Temp\IcedID.dll,init2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-54-0x0000000000000000-mapping.dmp
-
memory/1688-55-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/1688-61-0x0000000000460000-0x0000000000464000-memory.dmpFilesize
16KB
-
memory/1688-62-0x0000000000460000-0x0000000000464000-memory.dmpFilesize
16KB