IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Sigma rule (View on GitHub)
1title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
2id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5
3status: experimental
4description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
5references:
6 - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
7 - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/08/31
10tags:
11 - attack.defense_evasion
12 - attack.t1218.011
13 - detection.emerging_threats
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\rundll32.exe'
20 CommandLine|endswith:
21 - '\1.dll, DllRegisterServer' # In case of full path exec
22 - ' 1.dll, DllRegisterServer' # In case of direct exec
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More
Read More -
We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the…
Read More
Related rules
- EvilNum APT Golden Chickens Deployment Via OCX Files
- Fireball Archer Install
- ZxShell Malware
- Potential BlackByte Ransomware Activity
- Suspicious Computer Account Name Change CVE-2021-42287