Resubmissions

16-10-2023 15:02

231016-seepnshc51 10

16-10-2023 14:55

231016-sasezaba44 1

16-10-2023 14:14

231016-rj9vyage8y 1

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2023 15:02

General

  • Target

    mesoc.dll

  • Size

    778KB

  • MD5

    a443f1622069aab6d8939491859e7cdb

  • SHA1

    f5dc559c1a1dfc96dd768f0bbe3036625784039c

  • SHA256

    e87928fcddf13935c91a0b5577e28efd29bb6a5c1d98e5129dec63e231601053

  • SHA512

    167c848eba8cf44b818484381e3bb2a4be009b95c7f3a0994e3a394cc3161345b0a79aa38466398f3aa710f538a4c67ca792fa5a431d8c153ca3bb10de5a9cb0

  • SSDEEP

    6144:GhQd+ZW/3TvUCWysU2XN92nIMkS9yjygIL1ZaquKIwsjd5vRukMi/mf+0Hlqn//f:sEv9yjpIrH6BjfEkPmt+/bYujcpZ

Malware Config

Extracted

Family

icedid

Campaign

3828440134

C2

aptekoagraliy.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\mesoc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2932 -s 100
      2⤵
        PID:2988
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\system32\rundll32.exe
        rundll32 mesoc.dll scab /k haval462
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1896
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1260-1-0x0000000077932000-0x0000000077933000-memory.dmp

      Filesize

      4KB

    • memory/1260-2-0x0000000180000000-0x0000000180009000-memory.dmp

      Filesize

      36KB

    • memory/1260-9-0x0000000180000000-0x0000000180009000-memory.dmp

      Filesize

      36KB

    • memory/1260-10-0x00000000029E0000-0x00000000029E1000-memory.dmp

      Filesize

      4KB

    • memory/1896-0-0x0000000000120000-0x0000000000124000-memory.dmp

      Filesize

      16KB

    • memory/2316-11-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

    • memory/2316-12-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB