Analysis Overview
SHA256
63e579485ebaa74d5524db51abb1e6ca3e64f62bfcde64f5c5acc06e14cd6a87
Threat Level: Known bad
The file Files Extracted from ISO.zip was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Blocklisted process makes network request
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-21 19:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-21 19:54
Reported
2022-07-21 19:57
Platform
win10v2004-20220721-en
Max time kernel
60s
Max time network
81s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\a4lomar.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 20.189.173.3:443 | tcp | |
| US | 8.253.135.120:80 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-21 19:54
Reported
2022-07-21 19:57
Platform
win10v2004-20220721-en
Max time kernel
97s
Max time network
100s
Command Line
Signatures
IcedID, BokBot
suricata: ET MALWARE Win32/IcedID Request Cookie
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2160 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 2160 wrote to memory of 1520 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 1520 wrote to memory of 2136 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1520 wrote to memory of 2136 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\documents.lnk"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start rundll32.exe a4lomar.dll, PluginInit
C:\Windows\system32\rundll32.exe
rundll32.exe a4lomar.dll, PluginInit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | explorblins.com | udp |
| NL | 165.22.201.70:80 | explorblins.com | tcp |
| FR | 40.79.141.152:443 | tcp | |
| BE | 67.27.153.126:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/1520-130-0x0000000000000000-mapping.dmp
memory/2136-131-0x0000000000000000-mapping.dmp
memory/2136-132-0x0000000180000000-0x0000000180009000-memory.dmp