Malware Analysis Report

2025-08-06 04:16

Sample ID 220721-ymz88saccj
Target Files Extracted from ISO.zip
SHA256 63e579485ebaa74d5524db51abb1e6ca3e64f62bfcde64f5c5acc06e14cd6a87
Tags
icedid 312921187 banker loader suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63e579485ebaa74d5524db51abb1e6ca3e64f62bfcde64f5c5acc06e14cd6a87

Threat Level: Known bad

The file Files Extracted from ISO.zip was found to be: Known bad.

Malicious Activity Summary

icedid 312921187 banker loader suricata trojan

IcedID, BokBot

suricata: ET MALWARE Win32/IcedID Request Cookie

Blocklisted process makes network request

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-21 19:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-21 19:54

Reported

2022-07-21 19:57

Platform

win10v2004-20220721-en

Max time kernel

60s

Max time network

81s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\a4lomar.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\a4lomar.dll",#1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.189.173.3:443 tcp
US 8.253.135.120:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-21 19:54

Reported

2022-07-21 19:57

Platform

win10v2004-20220721-en

Max time kernel

97s

Max time network

100s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\documents.lnk"

Signatures

IcedID, BokBot

trojan banker icedid

suricata: ET MALWARE Win32/IcedID Request Cookie

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1520 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1520 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Files Extracted from ISO\documents.lnk"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start rundll32.exe a4lomar.dll, PluginInit

C:\Windows\system32\rundll32.exe

rundll32.exe a4lomar.dll, PluginInit

Network

Country Destination Domain Proto
US 8.8.8.8:53 explorblins.com udp
NL 165.22.201.70:80 explorblins.com tcp
FR 40.79.141.152:443 tcp
BE 67.27.153.126:80 tcp
FR 2.18.109.224:443 tcp
US 93.184.220.29:80 tcp

Files

memory/1520-130-0x0000000000000000-mapping.dmp

memory/2136-131-0x0000000000000000-mapping.dmp

memory/2136-132-0x0000000180000000-0x0000000180009000-memory.dmp