Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-s59yhabf64
Target 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.exe
SHA256 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca

Threat Level: Known bad

The file 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.exe was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Loads dropped DLL

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 15:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 15:43

Reported

2023-10-16 10:48

Platform

win7-20230831-en

Max time kernel

136s

Max time network

139s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.dll

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\CLSID\{4254E45A-C9C2-6B17-47CD-F8DEB2E81452} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\CLSID\{4254E45A-C9C2-6B17-47CD-F8DEB2E81452}\ = e863384a76f1e2589a2c43b5d77e74a45f8995d461cb8e90eddefac148ff382387dbc4edd20fc81f52581c247198c514cf0551cb47e22b7fa755a02803505421d4590b3cf1f320ad82e75e40ae6603ff15e4b9628ad03af0678b3d4750734736f4e984623c708c05488718d12f1737a0f53c0b45de687f1c6c7fa0581b55c05fd8983e49d2af30fb8da89492a38c93234ec7e631b711ee2929dd1747232142dd1d792a8bc2645044a78d3dd678a388a797d9234bbb506a23505ba5e2a08c34d4e5a53bf199a59923573adf9f395ccfbbfcfb73fc9026d1645db68a017bac0137741d485d4347c882a68bb51099831be3b4fcf8e46d5e34cbe26b244d1979908c99a90f63a48ba78b6ec779329b80ae0d7248ade8 C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 2728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 2728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 2728 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2728 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2728 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 jkbarmossen.com udp
US 173.255.204.62:443 jkbarmossen.com tcp
US 8.8.8.8:53 evinakortu.com udp
BG 94.232.46.27:443 evinakortu.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
US 8.8.8.8:53 skrechelres.com udp
US 8.8.8.8:53 jerryposter.com udp
RU 77.105.140.181:443 jerryposter.com tcp

Files

memory/2304-1-0x00000000001A0000-0x00000000001AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5F03.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2304-19-0x00000000001A0000-0x00000000001AD000-memory.dmp

\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2616-26-0x0000000000190000-0x00000000001DF000-memory.dmp

memory/2616-27-0x0000000001B80000-0x0000000001BCC000-memory.dmp

memory/2616-32-0x0000000001B80000-0x0000000001BCC000-memory.dmp

memory/2616-33-0x0000000001B80000-0x0000000001BCC000-memory.dmp

memory/2616-34-0x0000000000190000-0x00000000001DF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e13e718fa34cf1f2c710e3c08f1d0f41
SHA1 f28d593e021002256e42504050059b527d50569e
SHA256 8552345cc90be38ec80c5f5147657afa1493df2f625dab7645e7bc0c4e36947f
SHA512 e88558513ddd972bf6ea828b1ea8ed7912c02c262f8e0320650c264eb24e84537dfcdadcac22722f2ba705c75b3f6986d93eda981c3709807b4b5759385a45b8

C:\Users\Admin\AppData\Local\Temp\Tar3959.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2616-54-0x0000000001B80000-0x0000000001BCC000-memory.dmp

memory/2616-55-0x0000000001B80000-0x0000000001BCC000-memory.dmp

memory/2616-57-0x0000000001B80000-0x0000000001BCC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 15:43

Reported

2023-10-16 10:47

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

147s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.dll

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{2E57A065-100F-0007-0263-61A4BB5FA8DB} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{2E57A065-100F-0007-0263-61A4BB5FA8DB}\ = 891251994cd4730fbe1efa9044b81736165432202b5647adca4cad251ae6bde6a46b6cc16076cd9c9238ec0c4572c8898698966fb56bf64a92eec6dba523ca16de520141e4fe1f5bdf40ac9b3abc50e9aed6c03560cf2c692c25f22b1e8e1e630feb857db42c7a2e3a6e85148e646f543fdf990cb33789d50fede985bca18a02b105f9eb61671c0158c11b6cba19683740c898645a4e38908a93b80f0f4fcf1cfce863669d4261bf03ffe2e272a08a26d4b9f373bfd2ad03c09379847326c913c555a3b5fb76315f513bd01745ca82e41a6e2808c60dffeb9d16ba09f7f6f4a2bf33b70bea6826d30fc61afeb4f2f2feb1fdfbe46d5e344b224b542585cb59e7f3f4eef27fbf1170e884a7152f2ac360a3f1c865 C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 924 wrote to memory of 4228 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 924 wrote to memory of 4228 N/A C:\Windows\system32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 4228 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4228 wrote to memory of 1976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
RU 77.105.142.135:443 skrechelres.com tcp
US 8.8.8.8:53 135.142.105.77.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/924-1-0x00000000027C0000-0x00000000027CD000-memory.dmp

memory/924-5-0x00000000027C0000-0x00000000027CD000-memory.dmp

C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/1976-9-0x0000017D0DFE0000-0x0000017D0E02F000-memory.dmp

memory/1976-10-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp

memory/1976-15-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp

memory/1976-16-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp

memory/1976-17-0x0000017D0DFE0000-0x0000017D0E02F000-memory.dmp

memory/1976-19-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp

memory/1976-20-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp

memory/1976-22-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp