Malware Analysis Report

2025-08-06 04:21

Sample ID 220720-z7a1hsbafk
Target inv_zippediso.zip
SHA256 89ada36edefe7e1f4be30b96a5bd2553b5deb24c256632a099f16196e6245957
Tags
icedid 901680721 banker loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89ada36edefe7e1f4be30b96a5bd2553b5deb24c256632a099f16196e6245957

Threat Level: Known bad

The file inv_zippediso.zip was found to be: Known bad.

Malicious Activity Summary

icedid 901680721 banker loader trojan

IcedID, BokBot

Blocklisted process makes network request

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-20 21:21

Signatures

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win10v2004-20220715-en

Max time kernel

91s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\year\worker.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\year\worker.js

Network

Country Destination Domain Proto
US 20.189.173.3:443 tcp
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win7-20220718-en

Max time kernel

35s

Max time network

49s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk

Network

N/A

Files

memory/1120-54-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:23

Platform

win10v2004-20220715-en

Max time kernel

91s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk

Network

Country Destination Domain Proto
US 8.252.117.126:80 tcp
US 20.42.73.25:443 tcp
US 8.252.117.126:80 tcp
US 8.252.117.126:80 tcp
US 8.252.117.126:80 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win10v2004-20220414-en

Max time kernel

91s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\year\make.dll,#1

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\year\make.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 explorblins.com udp
NL 165.22.201.70:80 explorblins.com tcp
US 20.189.173.10:443 tcp
DE 67.24.27.254:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp

Files

memory/1792-130-0x0000000180000000-0x0000000180009000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win7-20220718-en

Max time kernel

113s

Max time network

117s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\year\new.gif

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f0000000002000000000010660000000100002000000019fa54adaebddab62f45ca7807c09a6c327b559b685c4281ff8de79308033325000000000e8000000002000020000000511b4d21c8049133ed253627e6dc414f24f0e7987744e8b088bfa937b8b6afbb9000000043ae257deff0e5da622f406e956150738b1703cb8a0840537d641a3e38a0e26063fac0696aab39a41b5ce7ef4349667f35f210071514520d7071c0448981464cb51ab130833a706ffa21de2eea6ddb951760e23bf3b773d851b9bcb3ed4dc8c25f4d74a6f0895e6b3ca162e752b2d7aff49f42712680adf2e2c93af371fbf3b805f34a3d8556f2e88cc5f3161eab3b1840000000459e6b1322d8e61ac0b0ba2cc86d77973687853bfad7072bdf6c0dd6851445cc12bf12df1177a7f1099ea0e6e9d4770dad8de2212043905407e9d23afb6cc1ff C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f000000000200000000001066000000010000200000005f61510929cc14945c5112266416768ecd6bc2e34fb3d121d9cdf415b4859b22000000000e8000000002000020000000d6be360c4de4745bc48d6f05591cb8624d3cf820b46d18a19e1d3f1fbcbee05920000000e12eef4fc4e50296ad3fcd82a6ebc813282a5ed7b70c0ca73b3bf2eaf372a9194000000093f7d30119a713c00fc99d1ede369272b883f7262669583ecf993c1190a1d8c7bdf535101216a7129a7edb1e441af3be3efaeb50e14ccf4281fce96c7fc137bc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C08473F1-0882-11ED-BEB9-E6961454B536} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365124309" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c0c4978f9cd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\year\new.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T8IIUSTN.txt

MD5 90d8af9b3e37ff595449e4374a9d4f6e
SHA1 35a8d2603e2921e0f307236f3905c067823a0684
SHA256 1246e48d8cbbe254ee1b760e9a065da585e7ee65a4253a21eb1085317bce2179
SHA512 06fc9f0b2696f23ec14cc872d0940b982c14f358652fe96656ed46b73f544c80857b2f10f9d905f09ac5d0e03a449774b6f3c655d72e7560a92f0806789e3dd3

Analysis: behavioral8

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:25

Platform

win10v2004-20220718-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\year\new.gif

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E6F705C8-0882-11ED-BCFA-4EC039F34222} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b1900000000020000000000106600000001000020000000153f60763d3e55484af4886bdd655f0ec2afaf8d9e9be7fe8346160f05208d85000000000e800000000200002000000078e8ec41e8beebdc4a81919f01ac2c5b663f34f7d513832010802e70c4b4b4d4200000005abb8644d1d4d816ece0230091e051e1f55970f79a7d9f162a1242685fb3878340000000493376de4a59cf056e325e355b8d310d502e53eb5585c744a1fc0ca9137a1a54629ee7190059a396f348f5cb45cf254cad8cb8e65c16e350c4b2ead5bbc9cda2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909f02cc8f9cd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3423355436" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2c24b2c6ed8524d8ce13139120d8b19000000000200000000001066000000010000200000007159d6b8e0478182d12023dbcc0a85aa6081998b12e44b65fbce5bebb6c9261d000000000e8000000002000020000000a6140c43dc205cfb51f119e54b24730e2748b1b6721f0a59f70134a113e50328200000007351081eece61b72e756332df0bd0264d68a56a333bb070450ef6f3a45e0a7df400000005983ed5ef54c506940f2872d5f4510995e7b478a3f68eb6c5c2949adaf21e310f3b5012867935d534c4c5ff0ddb2df3968ef4106a27f1e85adb2925a0c1bfc46 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30973071" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a08a9bc98f9cd801 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3423355436" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30973071" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365124358" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\year\new.gif

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3488 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
US 13.89.178.27:443 tcp
NL 104.110.191.165:80 tcp
NL 104.110.191.165:80 tcp
NL 104.110.191.165:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:25

Platform

win7-20220718-en

Max time kernel

38s

Max time network

46s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\year\worker.cmd"

Signatures

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1744 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1744 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\year\worker.cmd"

C:\Windows\system32\PING.EXE

ping google.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp

Files

memory/1612-54-0x0000000000000000-mapping.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win10v2004-20220414-en

Max time kernel

90s

Max time network

156s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\year\worker.cmd"

Signatures

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5004 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\year\worker.cmd"

C:\Windows\system32\PING.EXE

ping google.com

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 52.182.143.208:443 tcp

Files

memory/4112-130-0x0000000000000000-mapping.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win7-20220715-en

Max time kernel

45s

Max time network

49s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\year\day.jpg

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\year\day.jpg

Network

N/A

Files

memory/788-54-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\year\day.jpg

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\year\day.jpg

Network

Country Destination Domain Proto
NL 20.190.160.67:443 tcp
NL 104.110.191.140:80 tcp
NL 20.190.160.8:443 tcp
IE 20.50.80.209:443 tcp
NL 20.190.160.2:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 178.79.208.1:80 tcp
NL 20.190.160.136:443 tcp
US 93.184.220.29:80 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.132:443 tcp
NL 20.190.160.4:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win7-20220715-en

Max time kernel

38s

Max time network

42s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\year\make.dll,#1

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\year\make.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 explorblins.com udp
NL 165.22.201.70:80 explorblins.com tcp

Files

memory/1656-54-0x0000000180000000-0x0000000180009000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2022-07-20 21:21

Reported

2022-07-20 21:24

Platform

win7-20220715-en

Max time kernel

44s

Max time network

49s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\year\worker.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\year\worker.js

Network

N/A

Files

N/A