Analysis Overview
SHA256
65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
Threat Level: Known bad
The file 65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-12-19 21:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-19 21:32
Reported
2022-12-19 21:35
Platform
win7-20220812-en
Max time kernel
123s
Max time network
89s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap11079:208:7zEvent18263
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x580
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap8915:208:7zEvent749
Network
Files
memory/1348-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-19 21:32
Reported
2022-12-19 21:34
Platform
win10v2004-20221111-en
Max time kernel
125s
Max time network
149s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap11716:186:7zEvent22360
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\65e509ba0ec10d28c4183dbb7910374e4ec664bdd276e37d9c0ca2ce479772bf\" -spe -an -ai#7zMap26389:186:7zEvent12942
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" \corBAA.dat,init
Network
| Country | Destination | Domain | Proto |
| N/A | 13.107.21.200:443 | tcp | |
| N/A | 8.8.8.8:53 | a-ring-fallback.msedge.net | udp |
| N/A | 131.253.33.254:443 | a-ring-fallback.msedge.net | tcp |
| N/A | 8.8.8.8:53 | 96ecfd20c50eade14992c53a19261335.nrb.footprintdns.com | udp |
| N/A | 40.99.170.2:443 | 96ecfd20c50eade14992c53a19261335.nrb.footprintdns.com | tcp |
| N/A | 67.27.153.254:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 67.27.153.254:80 | tcp | |
| N/A | 8.8.8.8:53 | trbiriumpa.com | udp |
| N/A | 143.198.92.88:80 | trbiriumpa.com | tcp |
| N/A | 143.198.92.88:80 | trbiriumpa.com | tcp |
Files
memory/1808-132-0x0000000180000000-0x0000000180009000-memory.dmp