Malware Analysis Report

2024-10-18 23:50

Sample ID 231016-wnww4abd6w
Target w0.log.exe
SHA256 82a01607ebdcaa73b9ff201ccb76780ad8de4a99dd3df026dcb71b0f007456ed
Tags
icedid 3828440134 banker loader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82a01607ebdcaa73b9ff201ccb76780ad8de4a99dd3df026dcb71b0f007456ed

Threat Level: Known bad

The file w0.log.exe was found to be: Known bad.

Malicious Activity Summary

icedid 3828440134 banker loader persistence trojan

IcedID, BokBot

Modifies Installed Components in the registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 18:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 18:04

Reported

2023-10-16 18:09

Platform

win7-20230831-en

Max time kernel

147s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\w0.log.dll, scab /k haval462

Signatures

IcedID, BokBot

trojan banker icedid

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\w0.log.dll, scab /k haval462

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 aptekoagraliy.com udp
US 188.114.96.0:80 aptekoagraliy.com tcp

Files

memory/2420-0-0x0000000000130000-0x0000000000134000-memory.dmp

memory/1268-1-0x0000000077482000-0x0000000077483000-memory.dmp

memory/1268-2-0x0000000180000000-0x0000000180009000-memory.dmp

memory/1268-9-0x0000000180000000-0x0000000180009000-memory.dmp

memory/1268-10-0x0000000002750000-0x0000000002751000-memory.dmp

memory/1892-11-0x0000000003F10000-0x0000000003F11000-memory.dmp

memory/1892-12-0x0000000003F10000-0x0000000003F11000-memory.dmp

memory/1892-16-0x0000000002B30000-0x0000000002B40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-16 18:04

Reported

2023-10-16 18:09

Platform

win10v2004-20230915-en

Max time kernel

0s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\w0.log.dll, scab /k haval462

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\w0.log.dll, scab /k haval462

Network

Files

N/A