Analysis Report icudt63.dll.txt
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection1 | Process Injection1 | OS Credential Dumping | Process Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Rootkit | LSASS Memory | System Information Discovery11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 433018 |
Start date: | 11.06.2021 |
Start time: | 06:20:16 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 51s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | icudt63.dll.txt |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 21 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean2.winTXT@1/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.214477136647996 |
TrID: |
|
File name: | icudt63.dll.txt |
File size: | 27192000 |
MD5: | 7307885d1b4d6e86c16cd3245149a2b5 |
SHA1: | 9ccb3a49ab72e765088aaa78648eaad54e859f25 |
SHA256: | bb79555ab9fe2098b6d2ddbd5b871558303e87a4bdf652dbad66100dfa52d431 |
SHA512: | 2f53fb198e902b01d500c560a09f6dd5eecacfd1208b84721741bc7b442b3016a591086c15660cfd5b05a973041b51f6db07be79e31201a99786cea0dc8067fd |
SSDEEP: | 393216:7LAzFAVexVyB3uFidiXUxemfJcIWlj3qUl2n1g9WbknRy2DS/auO47Tt9r0PohFa:weVexVV9 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...S...S...S...S...S...S...S.......S...Q...S.Rich..S.PE..L...ST.\...........!...............................J............... |
File Icon |
---|
Icon Hash: | 74f4e4e4e4e4e4e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4ad00000 |
Entrypoint Section: | |
Digitally signed: | true |
Imagebase: | 0x4ad00000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | NO_SEH, DYNAMIC_BASE, NX_COMPAT |
Time Stamp: | 0x5CA25453 [Mon Apr 1 18:11:31 2019 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: |
Authenticode Signature |
---|
Signature Valid: | false |
Signature Issuer: | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 1CBB24700ACBA67F3C3BC1267F75960F |
Thumbprint SHA-1: | B9443AE8AB96FEC5B7DCE3D22AB6B0A6309F9AF6 |
Thumbprint SHA-256: | A5F37E0A425E7469FF897C55D5F98E5EB6ABEB3FC834BA27CC0826B5E27E20EA |
Serial: | 00B8B1587C32F6AB449AC4AFF13F7DBB95 |
Entrypoint Preview |
---|
Instruction |
---|
dec ebp |
pop edx |
nop |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax+eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x19ecb60 | 0x4c | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x19ed000 | 0x480 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x19ed428 | 0x1698 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x19ecb40 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.rdata | 0x1000 | 0x19ebc10 | 0x19ebe00 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x19ed000 | 0x480 | 0x600 | False | 0.333333333333 | data | 2.65267607652 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0x19ed060 | 0x41c | data |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
icudt63_dat | 1 | 0x4ad01000 |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html |
FileVersion | 63, 1, 0, 0 |
CompanyName | The ICU Project |
PrivateBuild | |
Comments | http://icu-project.org |
ProductName | International Components for Unicode |
SpecialBuild | |
ProductVersion | 63, 1, 0, 0 |
FileDescription | ICU Data DLL |
OriginalFilename | icudt63.dll |
Translation | 0x0000 0x0000 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
System Behavior |
---|
General |
---|
Start time: | 06:21:02 |
Start date: | 11/06/2021 |
Path: | C:\Windows\System32\notepad.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7977d0000 |
File size: | 245760 bytes |
MD5 hash: | BB9A06B8F2DD9D24C77F389D7B2B58D2 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|