Play interactive tour

Edit tour

Analysis Report icudt63.dll.txt

Overview

General Information

Sample Name:	icudt63.dll.txt
Analysis ID:	433018
MD5:	7307885d1b4d6e86c16cd3245149a2b5
SHA1:	9ccb3a49ab72e765088aaa78648eaad54e859f25
SHA256:	bb79555ab9fe2098b6d2ddbd5b871558303e87a4bdf652dbad66100dfa52d431
Infos:
Most interesting Screenshot:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64

notepad.exe (PID: 5608 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\icudt63.dll.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: icudt63.dll.txt

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: icudt63.dll.txt

Static PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT

Source: icudt63.dll.txt

String found in binary or memory: http://www.unicode.org/copyright.html

Source: icudt63.dll.txt

Static PE information: invalid certificate

Source: icudt63.dll.txt

Static PE information: No import functions for PE file found

Source: icudt63.dll.txt

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: clean2.winTXT@1/0@0/0

Source: C:\Windows\System32\notepad.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\notepad.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32

Source: icudt63.dll.txt

Static file information: File size 27192000 > 1048576

Source: icudt63.dll.txt

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x19ebe00

Source: icudt63.dll.txt

Static PE information: NO_SEH, DYNAMIC_BASE, NX_COMPAT

Source: icudt63.dll.txt

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: icudt63.dll.txt

Static PE information: real checksum: 0x19fc019 should be:

Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: notepad.exe, 00000000.00000002.464528916.0000022867890000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\notepad.exe

Queries volume information: C:\Users\user\Desktop\icudt63.dll.txt VolumeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	Process Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
icudt63.dll.txt	2%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.unicode.org/copyright.html	icudt63.dll.txt	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433018
Start date:	11.06.2021
Start time:	06:20:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	icudt63.dll.txt
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winTXT@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .txt
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.214477136647996
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	icudt63.dll.txt
File size:	27192000
MD5:	7307885d1b4d6e86c16cd3245149a2b5
SHA1:	9ccb3a49ab72e765088aaa78648eaad54e859f25
SHA256:	bb79555ab9fe2098b6d2ddbd5b871558303e87a4bdf652dbad66100dfa52d431
SHA512:	2f53fb198e902b01d500c560a09f6dd5eecacfd1208b84721741bc7b442b3016a591086c15660cfd5b05a973041b51f6db07be79e31201a99786cea0dc8067fd
SSDEEP:	393216:7LAzFAVexVyB3uFidiXUxemfJcIWlj3qUl2n1g9WbknRy2DS/auO47Tt9r0PohFa:weVexVV9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...S...S...S...S...S...S...S.......S...Q...S.Rich..S.PE..L...ST.\...........!...............................J...............

File Icon


Icon Hash:	74f4e4e4e4e4e4e4

Static PE Info

General
Entrypoint:	0x4ad00000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x4ad00000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	NO_SEH, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5CA25453 [Mon Apr 1 18:11:31 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	3/16/2016 5:00:00 PM 3/17/2021 4:59:59 PM
Subject Chain	CN=Open Text Corporation, OU=Development, O=Open Text Corporation, STREET=275 Frank Tompa, L=Waterloo, S=Ontario, PostalCode=N2L0A1, C=CA
Version:	3
Thumbprint MD5:	1CBB24700ACBA67F3C3BC1267F75960F
Thumbprint SHA-1:	B9443AE8AB96FEC5B7DCE3D22AB6B0A6309F9AF6
Thumbprint SHA-256:	A5F37E0A425E7469FF897C55D5F98E5EB6ABEB3FC834BA27CC0826B5E27E20EA
Serial:	00B8B1587C32F6AB449AC4AFF13F7DBB95

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x19ecb60	0x4c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19ed000	0x480	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x19ed428	0x1698
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19ecb40	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.rdata	0x1000	0x19ebc10	0x19ebe00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x19ed000	0x480	0x600	False	0.333333333333	data	2.65267607652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x19ed060	0x41c	data

Exports

Name	Ordinal	Address
icudt63_dat	1	0x4ad01000

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html
FileVersion	63, 1, 0, 0
CompanyName	The ICU Project
PrivateBuild
Comments	http://icu-project.org
ProductName	International Components for Unicode
SpecialBuild
ProductVersion	63, 1, 0, 0
FileDescription	ICU Data DLL
OriginalFilename	icudt63.dll
Translation	0x0000 0x0000

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: notepad.exe PID: 5608 Parent PID: 5692

General

Start time:	06:21:02
Start date:	11/06/2021
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Desktop\icudt63.dll.txt
Imagebase:	0x7ff7977d0000
File size:	245760 bytes
MD5 hash:	BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report icudt63.dll.txt

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Version Infos

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: notepad.exe PID: 5608 Parent PID: 5692

General

Disassembly

Code Analysis