Source: ijexogdf64.dll |
Virustotal: Detection: 7% |
Perma Link |
Source: klareqvino.com |
Avira URL Cloud: Label: malware |
Source: peranistaer.top |
Virustotal: Detection: 15% |
Perma Link |
Source: klareqvino.com |
Virustotal: Detection: 12% |
Perma Link |
Source: gruvihabralo.nl |
Virustotal: Detection: 14% |
Perma Link |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["peranistaer.top", "gruvihabralo.nl", "klareqvino.com", "ultomductingbig.pro"], "Campaign ID": 1573268852} |
Source: ijexogdf64.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor |
URLs: peranistaer.top |
Source: Malware configuration extractor |
URLs: gruvihabralo.nl |
Source: Malware configuration extractor |
URLs: klareqvino.com |
Source: Malware configuration extractor |
URLs: ultomductingbig.pro |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown |
Source: ijexogdf64.dll |
Static PE information: No import functions for PE file found |
Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00007FFFF0316111 NtCreateSection,NtMapViewOfSection, |
3_2_00007FFFF0316111 |
Source: ijexogdf64.dll |
Virustotal: Detection: 7% |
Source: ijexogdf64.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll64.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Jump to behavior |
Source: classification engine |
Classification label: mal84.troj.winDLL@21/0@0/0 |
Source: ijexogdf64.dll |
Static PE information: Image base 0x180000000 > 0x60000000 |
Source: ijexogdf64.dll |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00007FFFF03112F6 push r10; ret |
3_2_00007FFFF0311301 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00007FFFF0313B20 push r13; ret |
3_2_00007FFFF0313BA2 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, |
3_2_00000001800014A0 |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe TID: 5316 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll64.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError, |
3_2_00000001800014A0 |
Source: C:\Windows\System32\rundll32.exe |
Code function: 3_2_0000000180001044 GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcpyA,lstrcpyA, |
3_2_0000000180001044 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |