Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16-10-2023 15:50
Static task
static1
Behavioral task
behavioral1
Sample
16102023_2343_de.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
16102023_2343_de.dll
Resource
win10v2004-20230915-en
General
-
Target
16102023_2343_de.dll
-
Size
792KB
-
MD5
d088b2a14bf2ffd4f848da4a31ea5e1f
-
SHA1
c72f3ce188f98a6fb9069df20538bb8a7f79e56f
-
SHA256
1eaa50a4f79c27f2d7cfa55949eb7c4cdc74a44a13f24a1d166c4e13f14c5af9
-
SHA512
370296217baa7429f535254ff8670d821d2f25945e550c3d1fd172208f07a954bc191d3cda09452143965f348b4459a56d1267e88b39647f795bcd9ed1f02645
-
SSDEEP
6144:GhQd+ZW/3TvUCWysU2XN92nIMkS9yjygIL1ZaquKIwsjd5vRukMi/mf+0Hlqn//0:sEv9yjpIrH6BjfEkPmt+/bYujcpZ
Malware Config
Extracted
icedid
3828440134
aptekoagraliy.com
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32.exepid process 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 2636 rundll32.exe 1204 1204 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2620 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 2636 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 3004 wrote to memory of 1680 3004 rundll32.exe WerFault.exe PID 3004 wrote to memory of 1680 3004 rundll32.exe WerFault.exe PID 3004 wrote to memory of 1680 3004 rundll32.exe WerFault.exe PID 2624 wrote to memory of 2636 2624 cmd.exe rundll32.exe PID 2624 wrote to memory of 2636 2624 cmd.exe rundll32.exe PID 2624 wrote to memory of 2636 2624 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16102023_2343_de.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3004 -s 1002⤵PID:1680
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:2720
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\rundll32.exerundll32 16102023_2343_de.dll scab /k haval4622⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2636
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620