Resubmissions

16-10-2023 15:50

231016-s931rahh31 10

16-10-2023 15:44

231016-s6gy4sbf37 1

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2023 15:50

General

  • Target

    16102023_2343_de.dll

  • Size

    792KB

  • MD5

    d088b2a14bf2ffd4f848da4a31ea5e1f

  • SHA1

    c72f3ce188f98a6fb9069df20538bb8a7f79e56f

  • SHA256

    1eaa50a4f79c27f2d7cfa55949eb7c4cdc74a44a13f24a1d166c4e13f14c5af9

  • SHA512

    370296217baa7429f535254ff8670d821d2f25945e550c3d1fd172208f07a954bc191d3cda09452143965f348b4459a56d1267e88b39647f795bcd9ed1f02645

  • SSDEEP

    6144:GhQd+ZW/3TvUCWysU2XN92nIMkS9yjygIL1ZaquKIwsjd5vRukMi/mf+0Hlqn//0:sEv9yjpIrH6BjfEkPmt+/bYujcpZ

Malware Config

Extracted

Family

icedid

Campaign

3828440134

C2

aptekoagraliy.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\16102023_2343_de.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3004 -s 100
      2⤵
        PID:1680
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:2720
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\system32\rundll32.exe
          rundll32 16102023_2343_de.dll scab /k haval462
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2636
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1204-1-0x0000000076E02000-0x0000000076E03000-memory.dmp

        Filesize

        4KB

      • memory/1204-2-0x0000000180000000-0x0000000180009000-memory.dmp

        Filesize

        36KB

      • memory/1204-9-0x0000000180000000-0x0000000180009000-memory.dmp

        Filesize

        36KB

      • memory/1204-10-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

        Filesize

        4KB

      • memory/2620-11-0x00000000040C0000-0x00000000040C1000-memory.dmp

        Filesize

        4KB

      • memory/2620-12-0x00000000040C0000-0x00000000040C1000-memory.dmp

        Filesize

        4KB

      • memory/2636-0-0x0000000000120000-0x0000000000124000-memory.dmp

        Filesize

        16KB