Loading ...

Play interactive tourEdit tour

Analysis Report icudt63.dll.txt

Overview

General Information

Sample Name:icudt63.dll.txt
Analysis ID:433018
MD5:7307885d1b4d6e86c16cd3245149a2b5
SHA1:9ccb3a49ab72e765088aaa78648eaad54e859f25
SHA256:bb79555ab9fe2098b6d2ddbd5b871558303e87a4bdf652dbad66100dfa52d431
Infos:

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • notepad.exe (PID: 5608 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\icudt63.dll.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: icudt63.dll.txtStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: icudt63.dll.txtStatic PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT
Source: icudt63.dll.txtString found in binary or memory: http://www.unicode.org/copyright.html
Source: icudt63.dll.txtStatic PE information: invalid certificate
Source: icudt63.dll.txtStatic PE information: No import functions for PE file found
Source: icudt63.dll.txtStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: clean2.winTXT@1/0@0/0
Source: C:\Windows\System32\notepad.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: icudt63.dll.txtStatic file information: File size 27192000 > 1048576
Source: icudt63.dll.txtStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x19ebe00
Source: icudt63.dll.txtStatic PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT
Source: icudt63.dll.txtStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: icudt63.dll.txtStatic PE information: real checksum: 0x19fc019 should be:
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\icudt63.dll.txt VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Process Injection1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET