Overview

overview

10

Static

static

UKah6x65xQ.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-05-2022 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    UKah6x65xQ.dll

  • Size

    714KB

  • MD5

    e83718709032469c8db41c8e7a7bec66

  • SHA1

    074ee45eb9799eae90c4fe0b77f4fbc3020b13f3

  • SHA256

    9abc520e828d8aaba25bd5ebf4b8aef2b11ca46841552339ae511f393d5c76f4

  • SHA512

    a59bdd55301b0013469e5c0bc6d81151918a9512a0a893343d45ce3ccd79a2da546a728e863cf4f0755712396d46c4015ceffdb16fb4eb0607a319b8f679cf7b

Score
10/10
icedid2576683783bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

2576683783

C2

ilekvoyn.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\UKah6x65xQ.dll,#1
    1⤵
      PID:3648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\system32\rundll32.exe
          rundll32 UKah6x65xQ.dll,PluginInit
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:4708

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4528-134-0x0000000000000000-mapping.dmp

      Download

    • memory/4708-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4708-136-0x0000000180000000-0x0000000180009000-memory.dmp

      Filesize

      36KB

      Download

    • memory/5024-130-0x00000225E64A0000-0x00000225E64C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5024-131-0x00000225E94A0000-0x00000225E94E4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/5024-132-0x00000225E9570000-0x00000225E95E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5024-133-0x00007FFD518D0000-0x00007FFD52391000-memory.dmp

      Filesize

      10.8MB

      Download