Malware Analysis Report

2025-06-16 04:03

Sample ID 221221-aldrvabd34
Target $RTKOW1B.zip
SHA256 aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40
Tags
icedid 3114391984 banker loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aeaec6ca7cfc629df46779db6f5b92da8a532bd3baf21570ea76e9f9f5becd40

Threat Level: Known bad

The file $RTKOW1B.zip was found to be: Known bad.

Malicious Activity Summary

icedid 3114391984 banker loader trojan

IcedID, BokBot

Blocklisted process makes network request

Loads dropped DLL

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-21 00:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-21 00:17

Reported

2022-12-21 00:23

Platform

win7-20221111-en

Max time kernel

315s

Max time network

319s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x57c

C:\Windows\System32\isoburn.exe

"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"

C:\Windows\System32\isoburn.exe

"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_$RTKOW1B.zip\IRS_form_15-12-2022_20-21-50.iso"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\" -ad -an -ai#7zMap20643:136:7zEvent20319

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c hidmargoto\weebanpeaS.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\system32\rundll32.exe

rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp,init

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd" "

C:\Windows\system32\xcopy.exe

xcopy /s /i /e /h hidmargoto\overcontrolling.tmp C:\Users\Admin\AppData\Local\Temp\*

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7

C:\Windows\system32\rundll32.exe

rundll32 C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp init

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 estrabornhot.com udp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp
N/A 143.198.92.88:80 estrabornhot.com tcp

Files

memory/960-54-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\weebanpeaS.cmd

MD5 9f19dd31900efd76299b3664eda0cd3a
SHA1 028b44165c9995cae1035e06bb2d15027add44f8
SHA256 43de56afb31f13399acd2e7e36d93e06349bdc364b83f3f76497b28bfcc9f21f
SHA512 9e954a644a77dc08c81c9651fa37b32e24009dd961eefc02f224527dc4174feae67cac02532160b946547f9053b167e581946f336966f201ad263f10accbb29f

memory/1544-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\$RTKOW1B\IRS_form_15-12-2022_20-21-50\hidmargoto\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

memory/876-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

\Users\Admin\AppData\Local\Temp\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

memory/876-64-0x0000000000390000-0x0000000000399000-memory.dmp

memory/1592-70-0x0000000000000000-mapping.dmp

memory/984-72-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\overcontrolling.tmp

MD5 1795382b21fad93fe3fe3d75ef40a67d
SHA1 7a6fa8a71a68e3226b6cad24cd3eff4767111e58
SHA256 97593b69833226ed1488e6914351418018094dcedbab0984eae4648e12d8b26b
SHA512 189ba19e3cbf8ca0dc02524e4d73eb53bb7408c9e451061373f797603a2ccd80d4de41756e0e896a29124d700f184279b2403a130eca0b1389f3d2aee5bad74f

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-21 00:17

Reported

2022-12-21 00:20

Platform

win10v2004-20221111-en

Max time kernel

61s

Max time network

136s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\$RTKOW1B.zip

Network

Country Destination Domain Proto
N/A 72.21.81.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp

Files

N/A