Loading ...

Play interactive tourEdit tour

Analysis Report temp.tmp

Overview

General Information

Sample Name:temp.tmp (renamed file extension from tmp to dll)
Analysis ID:269496
MD5:d9e29df70fae5c4138701f4898f46c97
SHA1:ea17a2cec70aeaf17ad2d0f165819efbebd5d431
SHA256:4441869631f184e292844790ca4d365cb4e81cfe36b2933b452fedc80a71a1bd

Most interesting Screenshot:

Detection

IcedID
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected IcedID
Creates a DirectInput object (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3480 cmdline: loaddll32.exe 'C:\Users\user\Desktop\temp.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: loaddll32.exe PID: 3480JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3480, type: MEMORY
    Source: loaddll32.exe, 00000000.00000002.317706399.00000000015D7000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000002.317734823.0000000001609000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/
    Source: loaddll32.exe, 00000000.00000002.317697648.00000000015CB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3480, type: MEMORY
    Source: temp.dllBinary or memory string: OriginalFilenameball.dllT vs temp.dll
    Source: classification engineClassification label: mal48.troj.winDLL@1/0@0/0
    Source: temp.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: temp.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
    Source: temp.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: c:\wood\art\dad\number\Cost\Use\Thank\too\ball.pdb source: temp.dll
    Source: temp.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: temp.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: temp.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: temp.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: temp.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: temp.dllStatic PE information: real checksum: 0x30b68 should be: 0x2c59c
    Source: initial sampleStatic PE information: section name: .text entropy: 6.82661942746
    Source: C:\Windows\System32\loaddll32.exe TID: 3692Thread sleep time: -120000s >= -30000sJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: temp.dllBinary or memory string: nUcyvmci
    Source: loaddll32.exe, 00000000.00000002.317706399.00000000015D7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Stealing of Sensitive Information:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3480, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3480, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.