Overview

overview

10

Static

static

overcontrolling.dll

windows7-x64

10

overcontrolling.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2022 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    overcontrolling.dll

  • Size

    1.6MB

  • MD5

    1795382b21fad93fe3fe3d75ef40a67d

  • SHA1

    7a6fa8a71a68e3226b6cad24cd3eff4767111e58

  • SHA256

    97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b

  • SHA512

    189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

  • SSDEEP

    24576:XmJTd0nVi/Md3bupZkKBhWPRIlq5YZ6a2CXH7oZgKGc+erWJUVWyubuapwNDlaTI:XmJTd4iMwXH7oZgKb++BVL4B+NITgr0Y

Score
10/10
icedid3114391984bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

3114391984

C2

estrabornhot.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 1 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\overcontrolling.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1664 -s 136
      2⤵
      • Program crash
      PID:1972
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1928
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x140
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1644
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
        2⤵
          PID:1076
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:1224
      • C:\Windows\system32\verclsid.exe
        "C:\Windows\system32\verclsid.exe" /S /C {9E175B8B-F52A-11D8-B9A5-505054503030} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
        1⤵
          PID:1984
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Windows\system32\rundll32.exe
            rundll32 overcontrolling.dll init
            2⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            PID:1744

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1076-94-0x0000000000000000-mapping.dmp
          Download
        • memory/1224-95-0x0000000000000000-mapping.dmp
          Download
        • memory/1528-56-0x0000000001660000-0x0000000001670000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1528-72-0x0000000001760000-0x0000000001770000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1528-88-0x00000000011B0000-0x00000000011B8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1528-91-0x00000000011B0000-0x00000000011B8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1528-92-0x0000000002B90000-0x0000000002B98000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1644-93-0x0000000000000000-mapping.dmp
          Download
        • memory/1744-97-0x0000000000000000-mapping.dmp
          Download
        • memory/1744-98-0x0000000000120000-0x0000000000129000-memory.dmp
          Filesize

          36KB

          Download
        • memory/1928-55-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1972-54-0x0000000000000000-mapping.dmp
          Download