Malware Analysis Report

2025-06-16 04:05

Sample ID 221219-1dpggsbc7w
Target 65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
SHA256 65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
Tags
icedid 2944922576 banker loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf

Threat Level: Known bad

The file 65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf was found to be: Known bad.

Malicious Activity Summary

icedid 2944922576 banker loader trojan

IcedID, BokBot

Blocklisted process makes network request

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-12-19 21:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-19 21:32

Reported

2022-12-19 21:35

Platform

win7-20220812-en

Max time kernel

123s

Max time network

89s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf

C:\Windows\system32\verclsid.exe

"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap11079:208:7zEvent18263

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x580

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap8915:208:7zEvent749

Network

N/A

Files

memory/1348-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-19 21:32

Reported

2022-12-19 21:34

Platform

win10v2004-20221111-en

Max time kernel

125s

Max time network

149s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap11716:186:7zEvent22360

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap26389:186:7zEvent12942

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" \corBAA.dat,init

Network

Country Destination Domain Proto
N/A 13.107.21.200:443 tcp
N/A 8.8.8.8:53 a-ring-fallback.msedge.net udp
N/A 131.253.33.254:443 a-ring-fallback.msedge.net tcp
N/A 8.8.8.8:53 96ecfd20c50eade14992c53a19261335.nrb.footprintdns.com udp
N/A 40.99.170.2:443 96ecfd20c50eade14992c53a19261335.nrb.footprintdns.com tcp
N/A 67.27.153.254:80 tcp
N/A 104.80.225.205:443 tcp
N/A 67.27.153.254:80 tcp
N/A 8.8.8.8:53 trbiriumpa.com udp
N/A 143.198.92.88:80 trbiriumpa.com tcp
N/A 143.198.92.88:80 trbiriumpa.com tcp

Files

memory/1808-132-0x0000000180000000-0x0000000180009000-memory.dmp