Overview

overview

10

Static

static

3203.dll

windows10_x64

10

Analysis

  • max time kernel
    580s
  • max time network
    619s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    15-06-2022 23:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3203.dll

  • Size

    807KB

  • MD5

    63b610a3a9006160e270f8e7ad0db03f

  • SHA1

    d1dc6ab79aa4b5affcd13cc876bcc60bac9b45d4

  • SHA256

    a746ab385c513d0f73076ed4f83ac9e4e286ca7a8e5d6a5a4f0062026039b265

  • SHA512

    0f440abc39352c077bcdc899872ddea2c0069c173d028fda5e0b790f6a8b4aba2eca0fd557c5b6e1d2e645e90a3c883bc664308886ff6c2b371ea59e6b10cd28

Score
10/10
icedid260931076bankerloadersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

260931076

C2

ilekvoyn.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3203.dll,#1
    1⤵
      PID:2696
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4568
        • C:\Windows\system32\rundll32.exe
          rundll32 3203.dll,RunObject
          3⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:1304

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1304-171-0x0000000000000000-mapping.dmp
      Download
    • memory/1304-172-0x0000000180000000-0x0000000180009000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2172-122-0x000002A7DBED0000-0x000002A7DBEF2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2172-141-0x000002A7DBF40000-0x000002A7DBF7C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2172-152-0x000002A7DC590000-0x000002A7DC606000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4568-168-0x0000000000000000-mapping.dmp
      Download