Loading ...

Play interactive tourEdit tour

Analysis Report main.jpg

Overview

General Information

Sample Name:main.jpg (renamed file extension from jpg to dll)
Analysis ID:269506
MD5:38f9963193cd828f60580c1fe9b22487
SHA1:4200e1f948d164d915674b53849096c48efe6505
SHA256:0b41a454c1d34aa97596c93b0edf85dd8a8eca3dfff9d326950e7d0723cb1608

Most interesting Screenshot:

Detection

IcedID
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected IcedID
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3416 cmdline: loaddll32.exe 'C:\Users\user\Desktop\main.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: loaddll32.exe PID: 3416JoeSecurity_IcedID_1Yara detected IcedIDJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3416, type: MEMORY
    Source: loaddll32.exe, 00000000.00000002.342858903.0000000001359000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000002.342818776.0000000001327000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/
    Source: loaddll32.exe, 00000000.00000002.342858903.0000000001359000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/4
    Source: loaddll32.exe, 00000000.00000002.342818776.0000000001327000.00000004.00000020.sdmpString found in binary or memory: https://support.apple.com/s

    E-Banking Fraud:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3416, type: MEMORY
    Source: main.dllBinary or memory string: OriginalFilenameball.dllT vs main.dll
    Source: classification engineClassification label: mal48.troj.winDLL@1/0@0/0
    Source: main.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: main.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
    Source: main.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: c:\wood\art\dad\number\Cost\Use\Thank\too\ball.pdb source: main.dll
    Source: main.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: main.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: main.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: main.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: main.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: main.dllStatic PE information: real checksum: 0x30b68 should be: 0x20c8f
    Source: initial sampleStatic PE information: section name: .text entropy: 6.82656877123
    Source: C:\Windows\System32\loaddll32.exe TID: 4992Thread sleep time: -120000s >= -30000sJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: loaddll32.exe, 00000000.00000002.342818776.0000000001327000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
    Source: main.dllBinary or memory string: nUcyvmci
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Stealing of Sensitive Information:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3416, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected IcedIDShow sources
    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3416, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.