Analysis
-
max time kernel
268s -
max time network
271s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 19:19
Static task
static1
Behavioral task
behavioral1
Sample
IcedID.dll
Resource
win7-20220812-en
windows7-x64
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
IcedID.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
300 seconds
General
-
Target
IcedID.dll
-
Size
310KB
-
MD5
c15f522222532867ad56db6def0b7ab0
-
SHA1
5556431bbd2fc48cb04a7e34ec037ddf5fb73de2
-
SHA256
fbb09d953c06b75882193e0b4916e8df7f39e5f9591dca2d621c9670a1b3c4f7
-
SHA512
85c557011e006ff7145085fdd63c92cacc70d06f26d11c6e0cbe4fdfdbb88f7a8bd3a02836c322fc79e6da38a857df776290444cddb4cab9ca1faa5ab0829945
-
SSDEEP
6144:bU7KTvQXacSovAunJ6dHbCVZlWXYqvEYsZN6b7UMMPr+6O3bB92o:bUOglSAJ6dHbyZlWXYqvmZ0b7Um6MB9V
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
1164203100
C2
blodwarstayed.com
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 117 3672 rundll32.exe 122 3672 rundll32.exe 123 3672 rundll32.exe 124 3672 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3672 rundll32.exe 3672 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 4868 wrote to memory of 3672 4868 cmd.exe rundll32.exe PID 4868 wrote to memory of 3672 4868 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\IcedID.dll,#11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\System32\rundll32.exerundll32.exe c:\Users\Admin\AppData\Local\Temp\IcedID.dll,init2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses