IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Sigma rule (View on GitHub)
1title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
2id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5
3status: test
4description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
5references:
6 - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
7 - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-08-31
10tags:
11 - attack.defense-evasion
12 - attack.t1218.011
13 - detection.emerging-threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\rundll32.exe'
20 CommandLine|endswith:
21 - '\1.dll, DllRegisterServer' # In case of full path exec
22 - ' 1.dll, DllRegisterServer' # In case of direct exec
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can still be seen in use.…
Read More -
We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the…
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- APT29 2018 Phishing Campaign File Indicators
- Equation Group DLL_U Export Function Load
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Fireball Archer Install