Edit tour

Windows Analysis Report
ijexogdf64.dll

Overview

General Information

Sample Name:	ijexogdf64.dll
Analysis ID:	682774
MD5:	d243c07128ee42bccef33bda67ec61d9
SHA1:	5089dd76080329877c488325bc8ef8f736d1d1e4
SHA256:	d45c78fa400b32c11443061dcd1c286d971881ddf35a47143e4d426a3ec6bffd
Tags:	BokbotDLLexeIcedID
Infos:

Detection

IcedID

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected IcedID

C2 URLs / IPs found in malware configuration

PE file does not import any functions

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5140 cmdline: loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 5248 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 4220 cmdline: rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5300 cmdline: rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1004 cmdline: rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5344 cmdline: rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5596 cmdline: rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 2552 cmdline: rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5732 cmdline: rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6020 cmdline: rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 760 cmdline: rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: IcedID

{"url_path": "/news/", "C2 url": ["peranistaer.top", "gruvihabralo.nl", "klareqvino.com", "ultomductingbig.pro"], "Campaign ID": 1573268852}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_IcedID_6	Yara detected IcedID	Joe Security
00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_IcedID_91562d18	unknown	unknown	0x400:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_IcedID_6	Yara detected IcedID	Joe Security
00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_IcedID_91562d18	unknown	unknown	0x10ff8:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.180000000.0.unpack	JoeSecurity_IcedID_6	Yara detected IcedID	Joe Security
3.2.rundll32.exe.180000000.0.unpack	Windows_Trojan_IcedID_91562d18	unknown	unknown	0x800:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41
3.2.rundll32.exe.18e2e5897f8.1.raw.unpack	JoeSecurity_IcedID_6	Yara detected IcedID	Joe Security
3.2.rundll32.exe.18e2e5897f8.1.raw.unpack	Windows_Trojan_IcedID_91562d18	unknown	unknown	0x800:$a: 44 8B 4C 19 2C 4C 03 D6 74 1C 4D 85 C0 74 17 4D 85 C9 74 12 41

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ijexogdf64.dll

Virustotal: Detection: 7%

Perma Link

Antivirus detection for URL or domain

Source: klareqvino.com

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: peranistaer.top	Virustotal: Detection: 15%	Perma Link
Source: klareqvino.com	Virustotal: Detection: 12%	Perma Link
Source: gruvihabralo.nl	Virustotal: Detection: 14%	Perma Link

Yara detected IcedID

Source: Yara match	File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: IcedID {"url_path": "/news/", "C2 url": ["peranistaer.top", "gruvihabralo.nl", "klareqvino.com", "ultomductingbig.pro"], "Campaign ID": 1573268852}

Source: ijexogdf64.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: peranistaer.top
Source: Malware configuration extractor	URLs: gruvihabralo.nl
Source: Malware configuration extractor	URLs: klareqvino.com
Source: Malware configuration extractor	URLs: ultomductingbig.pro

E-Banking Fraud

Yara detected IcedID

Source: Yara match	File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_IcedID_91562d18 Author: unknown

Source: ijexogdf64.dll

Static PE information: No import functions for PE file found

Source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09
Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_IcedID_91562d18 reference_sample = b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a, os = windows, severity = x86, creation_date = 2022-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.IcedID, fingerprint = 024bbd15da6bc759e321779881b466b500f6364a1d67bbfdc950aedccbfbc022, id = 91562d18-28a1-4349-9e4b-92ad165510c9, last_modified = 2022-06-09

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFFF0316111 NtCreateSection,NtMapViewOfSection,

3_2_00007FFFF0316111

Source: ijexogdf64.dll

Virustotal: Detection: 7%

Source: ijexogdf64.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",VejwwBbES	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",XeZsfh	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",YqufWwLNu	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1	Jump to behavior

Source: classification engine

Classification label: mal84.troj.winDLL@21/0@0/0

Source: ijexogdf64.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: ijexogdf64.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFF03112F6 push r10; ret		3_2_00007FFFF0311301
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFFF0313B20 push r13; ret		3_2_00007FFFF0313BA2

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError,

3_2_00000001800014A0

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 5316

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00000001800014A0 LoadLibraryA,GetProcAddress,GetLastError,

3_2_00000001800014A0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000000180001044 GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcpyA,lstrcpyA,

3_2_0000000180001044

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected IcedID

Source: Yara match	File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected IcedID

Source: Yara match	File source: 3.2.rundll32.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.18e2e5897f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	11 Process Injection	1 Rundll32	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ijexogdf64.dll	7%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.180000000.0.unpack	100%	Avira	HEUR/AGEN.1205106		Download File

URLs

Source	Detection	Scanner	Label	Link
peranistaer.top	16%	Virustotal		Browse
peranistaer.top	0%	Avira URL Cloud	safe
ultomductingbig.pro	1%	Virustotal		Browse
ultomductingbig.pro	0%	Avira URL Cloud	safe
klareqvino.com	12%	Virustotal		Browse
klareqvino.com	100%	Avira URL Cloud	malware
gruvihabralo.nl	15%	Virustotal		Browse
gruvihabralo.nl	0%	Avira URL Cloud	safe

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	682774
Start date and time:	2022-08-12 00:27:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ijexogdf64.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.winDLL@21/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 84.1% (good quality ratio 69.2%) Quality average: 58.6% Quality standard deviation: 38.6%
HCA Information:	Successful, ratio: 93% Number of executed functions: 7 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.40.129.122, 23.211.6.115
Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-frc.francecentral.cloudapp.azure.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
00:28:16	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	4.681680523290311
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	ijexogdf64.dll
File size:	345600
MD5:	d243c07128ee42bccef33bda67ec61d9
SHA1:	5089dd76080329877c488325bc8ef8f736d1d1e4
SHA256:	d45c78fa400b32c11443061dcd1c286d971881ddf35a47143e4d426a3ec6bffd
SHA512:	91c4ca4b3c8051e2813387191414185add498ace63ccf52d420512d6f4fdbefd704b06472250489e4ea4206c18b88299d101f2921a9661adaaadfa7b0f3d5301
SSDEEP:	6144:7bCbif6Fsx+sjdfF+z/+Oz8A3z7S0+uiQ1j5X6UeoCcpWYnmajHcLGvUmVjQP:sa+sJArz8A3z7heeDeoCy9maj8LAj
TLSH:	7F749E78F704ADD6E56E467BCA92BCD912726E229F8EDDCD81647BC30463331EE06805
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4._.Z._.Z._.Z...Y.^.Z...Z.^.Z.....^.Z...X.^.Z.Rich_.Z.........................PE..d......T.........." .....>.................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180000000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x54EF86E9 [Thu Feb 26 20:49:45 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55000	0x133	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x56000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x53df2	0x53e00	False	0.5699195463859911	DOS executable (COM)	4.663798377543847	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x55000	0x133	0x200	False	0.525390625	data	3.6080974435457183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x56000	0x1e0	0x200	False	0.52734375	data	4.720822661998389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x56060	0x17d	XML 1.0 document text	English	United States

Exports

Name	Ordinal	Address
JdXfbK	2	0x180009abe
MDlQdmktXg	3	0x180009706
VejwwBbES	4	0x180009500
XeZsfh	5	0x180009773
YqufWwLNu	6	0x1800094d8
aFXQhh	7	0x180009610
douGisQTrEbuU	8	0x1800097d7
mcejso	9	0x180009895
sIwYjgNBY	10	0x180009baa
vwcKpBZWAuPZtofG	11	0x180009a56
wCUxVrXTsMGVxBGr	12	0x1800099de
zubitjkfnasyfujask	1	0x1800010c0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Statistics

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 4220, Parent PID: 5248COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	56.3%
Signature Coverage:	31%
Total number of Nodes:	87
Total number of Limit Nodes:	8

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 00007FFFF0316132

Strings

`, xrefs: 00007FFFF0316336
%, xrefs: 00007FFFF0316901
*, xrefs: 00007FFFF0316446
H, xrefs: 00007FFFF03161C2
%, xrefs: 00007FFFF0316918
!, xrefs: 00007FFFF03163B8
*, xrefs: 00007FFFF03164AE
y, xrefs: 00007FFFF03163A0
@, xrefs: 00007FFFF03168E9
D, xrefs: 00007FFFF0316359
-, xrefs: 00007FFFF0316298
2, xrefs: 00007FFFF031645D
3, xrefs: 00007FFFF03168C6
<, xrefs: 00007FFFF03161CF
&, xrefs: 00007FFFF03163D0
@, xrefs: 00007FFFF031693E
,, xrefs: 00007FFFF0316886
), xrefs: 00007FFFF0316255
?, xrefs: 00007FFFF03168AE
H, xrefs: 00007FFFF031623D
~, xrefs: 00007FFFF0316228

Memory Dump Source

Source File: 00000003.00000002.245500356.00007FFFF0311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF0310000, based on PE: true

Associated: 00000003.00000002.245493238.00007FFFF0310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.245598214.00007FFFF0365000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffff0310000_rundll32.jbxd

Similarity

API ID: CreateSection
String ID: !$%$%$&$)$*$*$,$-$2$3$<$?$@$@$D$H$H$`$y$~
API String ID: 2449625523-2699326552
Opcode ID: ae71ce33b2ff831bd31dc7ee09e58353459c4e54b112734a185f5b6d77d6ff7e
Instruction ID: 9b82528146ac50ec01c9607f4073eceba977ab99bd7058288e54287de13abfdf
Opcode Fuzzy Hash: ae71ce33b2ff831bd31dc7ee09e58353459c4e54b112734a185f5b6d77d6ff7e
Instruction Fuzzy Hash: 5CD12BB6D0C2D2CBE7B08B90E4583EAB6E0E798314F544639C2E916BD9DB7DD4489F01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001688 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32(?,?,?,?,?,0000000180001071), ref: 000000018000169D
StrStrIA.KERNELBASE(?,?,?,?,?,0000000180001071), ref: 00000001800016B6
SHGetFolderPathA.SHELL32(?,?,?,?,?,0000000180001071), ref: 00000001800016D5
lstrcatA.KERNEL32(?,?,?,?,?,0000000180001071), ref: 00000001800016F0
lstrcpyA.KERNEL32(?,?,?,?,?,0000000180001071), ref: 00000001800016FD
StrChrA.SHLWAPI(?,?,?,?,?,0000000180001071), ref: 000000018000170B
lstrcatA.KERNEL32(?,?,?,?,?,0000000180001071), ref: 000000018000171F

Strings

c:\ProgramData\, xrefs: 00000001800016DE

Memory Dump Source

Source File: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.244829729.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244838553.0000000180002000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244842939.0000000180003000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcat$CommandFolderLinePathlstrcpy
String ID: c:\ProgramData\
API String ID: 1737627762-4167965204
Opcode ID: 20617e2baf8158c2edf60f7b48858558e409461de3a6bb6beb459add1b47c657
Instruction ID: e6560f335e628c7a2993b81ce91b1b856003c4fac3ee7d8d6e9e32c945d496e2
Opcode Fuzzy Hash: 20617e2baf8158c2edf60f7b48858558e409461de3a6bb6beb459add1b47c657
Instruction Fuzzy Hash: 10113635704B4892FB96CB25F8043D97362BB48BC1F88C425EA0A07B65EF78D64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000018E30360000 Relevance: 6.7, APIs: 4, Instructions: 735
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 0000018E3036012C
VirtualAlloc.KERNELBASE ref: 0000018E30360173
LoadLibraryA.KERNELBASE ref: 0000018E303602F8
VirtualProtect.KERNELBASE ref: 0000018E303604CA

Memory Dump Source

Source File: 00000003.00000002.245471735.0000018E30360000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000018E30360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_18e30360000_rundll32.jbxd

Similarity

API ID: Virtual$AllocInfoLibraryLoadNativeProtectSystem
String ID:
API String ID: 395219687-0
Opcode ID: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
Instruction ID: e574320a55fd866874c48a42dd2c1f9002ba192134b1b4e7eff8a21cbcffa022
Opcode Fuzzy Hash: dd72a9d3825b757cb599c52874617b57d3dfc330cdb9a130d1801265dc8a93a8
Instruction Fuzzy Hash: 9D220830618A0D8BEB789A5AC8D63F677D1FB55311F26852DDD87C3281EF24ED428B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF031380C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00007FFF7FFFF031380C(void* __eax, void* __ecx, long long __rax, long long __rcx, long long __rdx, long long _a8, long long _a16, char _a36, char _a37, void* _a40, long long _a56, long long _a72) {
				signed int _t20;
				signed long long _t36;

				_a56 = __rax;
				_a36 = 0x2c;
				if (__eax == __eax) goto 0xf031381a;
				_a36 = _a36 + 4;
				_a37 = 0xd;
				goto 0xf0313826;
				_a37 = _a37 + 0x6b;
				r8d = 1;
				goto 0xf03138cf;
				_a16 = __rdx;
				_a8 = __rcx;
				if (__eax == __eax) goto 0xf0313880;
				_a72 = __rax;
				goto 0xf031394a;
				_t36 =  *((intOrPtr*)(__rax));
				_t20 = E00007FFF7FFFF03191A6( *((intOrPtr*)(__rax + 8)));
				goto 0xf0313767;
				if (__ecx == __ecx) goto 0xf0313874;
				goto 0xf03139d0;
				if (_t20 % _t36 == _t20 % _t36) goto 0xf0313869;
				goto 0xf0313754;
				return _t20 / _t36;
			}

0x7ffff031380c
0x7ffff0313811
0x7ffff0313818
0x7ffff031381a
0x7ffff031381f
0x7ffff0313824
0x7ffff0313826
0x7ffff031382b
0x7ffff0313831
0x7ffff0313836
0x7ffff031383b
0x7ffff0313842
0x7ffff0313847
0x7ffff031384c
0x7ffff0313851
0x7ffff0313854
0x7ffff0313859
0x7ffff0313867
0x7ffff031386f
0x7ffff031387e
0x7ffff031388c
0x7ffff0313895

Strings

k, xrefs: 00007FFFF0313826
,, xrefs: 00007FFFF0313811

Memory Dump Source

Source File: 00000003.00000002.245500356.00007FFFF0311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF0310000, based on PE: true

Associated: 00000003.00000002.245493238.00007FFFF0310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.245598214.00007FFFF0365000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffff0310000_rundll32.jbxd

Similarity

API ID:
String ID: ,$k
API String ID: 0-3852353504
Opcode ID: 8d47e0b8f4703087ead341db03715c6e46e51465191cc7a91b0e76fe85ba9493
Instruction ID: 71b7b793cb2416b43c91db733fd1ae09fe45be5ac3cd3e8cf56de625d600c525
Opcode Fuzzy Hash: 8d47e0b8f4703087ead341db03715c6e46e51465191cc7a91b0e76fe85ba9493
Instruction Fuzzy Hash: 2B31A322D0C68283EB709715A65437AA6D1EF8D740F880235E6DE67BD5CF7CD8848701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001000 Relevance: 4.5, APIs: 3, Instructions: 15
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000000018000101D
SleepEx.KERNEL32 ref: 000000018000102A
ExitProcess.KERNEL32 ref: 000000018000103B

Memory Dump Source

Source File: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.244829729.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244838553.0000000180002000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244842939.0000000180003000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateExitProcessSleepThread
String ID:
API String ID: 2449228014-0
Opcode ID: b1b8a2a17d72b8737e3efd17204ea4dad189a46fee2ea6b5e80811851aa5669d
Instruction ID: 995a4160c592a8e52e300b06ff3b17f76acf510bf4ee65cde584781cdca54b36
Opcode Fuzzy Hash: b1b8a2a17d72b8737e3efd17204ea4dad189a46fee2ea6b5e80811851aa5669d
Instruction Fuzzy Hash: 63E09231518648C6F3AADB21A81A3EA3266B788386F40C119F186444E5CF7C878DC704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF0312CC5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FFFF0312D4E

Strings

#+bV, xrefs: 00007FFFF0312D66

Memory Dump Source

Source File: 00000003.00000002.245500356.00007FFFF0311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF0310000, based on PE: true

Associated: 00000003.00000002.245493238.00007FFFF0310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.245598214.00007FFFF0365000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffff0310000_rundll32.jbxd

Similarity

API ID: LibraryLoad
String ID: #+bV
API String ID: 1029625771-1914211113
Opcode ID: d142efb2de48434e45e95c7c8d1c0977c5999182573c305d870274eaa5e785a8
Instruction ID: 2fc799615501335acfd88c4a93215f63effa8ea73dad02cea7d8ab1d80bb89c1
Opcode Fuzzy Hash: d142efb2de48434e45e95c7c8d1c0977c5999182573c305d870274eaa5e785a8
Instruction Fuzzy Hash: 7B41D326D0C68683F3B09A10E6543BD62E1EF49700F940735E5BE677D5EE2DE9458B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFF0313729 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00007FFF7FFFF0313729(void* __eax, void* __ebx, void* __edx, void* __esp, void* __rax, intOrPtr* __rcx, long long __rdx) {
				void* _t37;
				char _t40;
				char _t42;
				void* _t43;
				signed int _t45;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t53;
				intOrPtr* _t79;
				void* _t83;
				long long _t88;
				signed long long _t89;
				long long _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t90 = __rdx;
				_t53 = __edx;
				if (__eax != 0) goto 0xf0313738;
				r8d = 0xa;
				goto 0xf03137d5;
				_t48 =  *((intOrPtr*)(_t94 + 0x20));
				_t37 = E00007FFF7FFFF0313DBF(__eax, _t48, __rdx, _t91, _t92, _t100, _t102);
				goto 0xf0313a3b;
				if (E00007FFF7FFFF0313AE1(_t37, _t83, __rcx, _t98, _t99) == 0) goto 0xf031372d;
				goto 0xf03137f0;
				 *((intOrPtr*)(_t93 + 0x17)) =  *((intOrPtr*)(_t93 + 0x17)) + _t53;
				goto 0xf0313851;
				 *((long long*)(_t94 + 0x48)) =  *((intOrPtr*)(_t94 + 0x80));
				if (__esp == __esp) goto 0xf0313793;
				_t40 = E00007FFF7FFFF031A49B( *__rcx, __rcx, __rcx, __rdx, _t92, _t98, _t99, _t100, _t101, _t102, _t103, _t104);
				goto 0xf03137e0;
				 *((char*)(_t94 + 0x20)) = _t40;
				if (_t48 == _t48) goto 0xf03137bb;
				if (_t53 == _t53) goto 0xf03137c8;
				_t42 = E00007FFF7FFFF0318EBE( *((intOrPtr*)(__rcx + 1)));
				if (_t48 == _t48) goto 0xf0313788;
				if (__ebx == __ebx) goto 0xf03137a0;
				 *((char*)(_t94 + 0x21)) = _t42;
				goto 0xf0313746;
				r8d = r8d + 6;
				if (__esp == __esp) goto 0xf03137aa;
				_t88 =  *((intOrPtr*)(_t94 + 0x88));
				goto 0xf0313a14;
				_t50 =  *((intOrPtr*)(_t94 + 0x21));
				_t43 = E00007FFF7FFFF0313AE1(_t42, _t83, _t88, _t98, _t99);
				_t79 =  *((intOrPtr*)(_t94 + 0x30)) + 2;
				 *((long long*)(_t94 + 0x38)) = _t79;
				 *((char*)(_t94 + 0x24)) = 0x2c;
				if (_t43 == _t43) goto 0xf031381a;
				 *((char*)(_t94 + 0x24)) =  *((char*)(_t94 + 0x24)) + 4;
				 *((char*)(_t94 + 0x25)) = 0xd;
				goto 0xf0313826;
				 *((char*)(_t94 + 0x25)) =  *((char*)(_t94 + 0x25)) + 0x6b;
				r8d = 1;
				goto 0xf03138cf;
				 *((long long*)(_t94 + 0x10)) = _t90;
				 *((long long*)(_t94 + 8)) = _t88;
				if (_t43 == _t43) goto 0xf0313880;
				 *((long long*)(_t94 + 0x48)) = _t79;
				goto 0xf031394a;
				_t89 =  *_t79;
				_t45 = E00007FFF7FFFF03191A6( *((intOrPtr*)(_t79 + 8)));
				goto 0xf0313767;
				if (_t50 == _t50) goto 0xf0313874;
				goto 0xf03139d0;
				if (_t45 % _t89 == _t45 % _t89) goto 0xf0313869;
				goto 0xf0313754;
				return _t45 / _t89;
			}

0x7ffff0313729
0x7ffff0313729
0x7ffff031372b
0x7ffff031372d
0x7ffff0313733
0x7ffff0313738
0x7ffff031373c
0x7ffff0313741
0x7ffff031374d
0x7ffff031374f
0x7ffff0313757
0x7ffff0313762
0x7ffff0313767
0x7ffff0313786
0x7ffff0313788
0x7ffff0313791
0x7ffff0313793
0x7ffff031379e
0x7ffff03137a8
0x7ffff03137b2
0x7ffff03137b9
0x7ffff03137c6
0x7ffff03137c8
0x7ffff03137d0
0x7ffff03137d5
0x7ffff03137de
0x7ffff03137e0
0x7ffff03137eb
0x7ffff03137f0
0x7ffff03137f4
0x7ffff0313803
0x7ffff031380c
0x7ffff0313811
0x7ffff0313818
0x7ffff031381a
0x7ffff031381f
0x7ffff0313824
0x7ffff0313826
0x7ffff031382b
0x7ffff0313831
0x7ffff0313836
0x7ffff031383b
0x7ffff0313842
0x7ffff0313847
0x7ffff031384c
0x7ffff0313851
0x7ffff0313854
0x7ffff0313859
0x7ffff0313867
0x7ffff031386f
0x7ffff031387e
0x7ffff031388c
0x7ffff0313895

Memory Dump Source

Source File: 00000003.00000002.245500356.00007FFFF0311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFFF0310000, based on PE: true

Associated: 00000003.00000002.245493238.00007FFFF0310000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.245598214.00007FFFF0365000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffff0310000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6259535029c6565e0e1edbe0b2ce0dcec9b27bcc6421e556f39a3743fc6b1e1c
Instruction ID: c12f48e8ce9f57ff4e2cae38cffeed81619ecbc61cb738f8540c422cec3d059c
Opcode Fuzzy Hash: 6259535029c6565e0e1edbe0b2ce0dcec9b27bcc6421e556f39a3743fc6b1e1c
Instruction Fuzzy Hash: 7B319596E0C48283F7B0D66596142BE67E1AFCDB40F988231D6EE677C5CE3DE8458700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180001044 Relevance: 16.7, APIs: 9, Strings: 2, Instructions: 151
memoryCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00000001180001044(long long __rbx, long long __rsi, void* __r11) {
				void* _t109;
				long long _t112;
				intOrPtr _t117;
				void* _t121;
				signed long long _t127;
				void* _t129;
				long long _t130;
				signed long long _t136;
				signed long long _t137;
				signed long long _t138;
				signed long long _t139;
				long _t141;
				void* _t142;
				void* _t144;
				void* _t145;
				signed long long _t148;
				void* _t151;
				void* _t155;
				intOrPtr _t157;

				_t135 = __rsi;
				_t113 = __rbx;
				 *((long long*)(_t144 + 0x18)) = __rbx;
				 *((long long*)(_t144 + 0x20)) = __rsi;
				_t142 = _t144 - 0x2b0;
				_t145 = _t144 - 0x3b0;
				E00000001180001688(_t109, __rbx, _t142 + 0x56, _t142 + 0x15a, __rsi, _t151, _t155);
				if (E000000011800012BC(_t113, _t142 + 0x2d0, _t135, _t142 + 0x2d8) != 0) goto 0x80001097;
				GetLastError();
				goto 0x8000122a;
				_t130 =  *((intOrPtr*)(_t142 + 0x2d0));
				_t127 =  *((intOrPtr*)(_t142 + 0x2d8));
				 *(_t145 + 0x38) =  *(_t145 + 0x38) & 0x00000000;
				 *((long long*)(_t145 + 0x20)) = _t130;
				 *((long long*)(_t145 + 0x28)) = _t130;
				_t136 = _t127 - 0x10;
				_t121 = _t136 + _t130;
				 *(_t145 + 0x30) = _t136;
				if (_t121 == 0) goto 0x800010ed;
				asm("movups xmm0, [ecx]");
				_t112 = _t121 - _t130 - _t127;
				asm("movups [esp+eax+0x50], xmm0");
				_t137 =  *(_t145 + 0x30);
				_t157 =  *((intOrPtr*)(_t145 + 0x20));
				r10d = 0;
				if (_t157 == 0) goto 0x80001211;
				if (_t137 - 4 < 0) goto 0x80001211;
				_t138 = _t137 + 0xfffffffc;
				 *(_t145 + 0x30) = _t138;
				if ( *((intOrPtr*)(_t145 + 0x28)) != 0) goto 0x8000114e;
				if (_t138 == 0) goto 0x80001211;
				GetProcessHeap();
				_t148 = _t138 + 1;
				HeapAlloc(_t129, _t141);
				 *((long long*)(_t145 + 0x28)) = _t112;
				if (_t112 == 0) goto 0x8000120a;
				r10d = 1;
				r9d =  *(_t138 + _t157);
				r11d = 0;
				r9d = r9d ^  *(_t145 + 0x40);
				 *(_t145 + 0x38) = _t138;
				if (_t138 == 0) goto 0x800011cd;
				r8d = _t127 + 1;
				r8d = r8d & 0x00000003;
				 *(__r11 + _t112) =  *((intOrPtr*)(_t145 + 0x40 + _t148 * 4)) +  *((intOrPtr*)(_t145 + 0x40 + _t127 * 4)) ^  *(__r11 + _t157);
				asm("ror eax, cl");
				 *((intOrPtr*)(_t145 + 0x40 + _t127 * 4)) =  *((intOrPtr*)(_t145 + 0x40 + _t127 * 4)) + 1;
				asm("ror eax, cl");
				 *((intOrPtr*)(_t145 + 0x40 + _t148 * 4)) =  *((intOrPtr*)(_t145 + 0x40 + _t148 * 4)) + 1;
				_t117 =  *((intOrPtr*)(_t145 + 0x28));
				if (__r11 + 1 -  *(_t145 + 0x30) >= 0) goto 0x800011c1;
				goto 0x80001164;
				_t139 =  *(_t145 + 0x38);
				if (_t139 == 0) goto 0x800011e7;
				asm("rol ecx, 0x3");
				if (_t127 + 1 - _t139 < 0) goto 0x800011d6;
				if (r9d == 0 + ( *(_t127 + _t117) & 0x000000ff)) goto 0x80001244;
				if (r10d == 0) goto 0x80001211;
				if (_t117 == 0) goto 0x80001211;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				if ( *((intOrPtr*)(_t142 + 0x2d0)) == 0) goto 0x8000122a;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return 0;
			}

0x180001044
0x180001044
0x180001044
0x180001049
0x180001052
0x18000105a
0x18000106c
0x18000108a
0x18000108c
0x180001092
0x180001097
0x18000109e
0x1800010a8
0x1800010b1
0x1800010b6
0x1800010bb
0x1800010bf
0x1800010c3
0x1800010cb
0x1800010cd
0x1800010d6
0x1800010d9
0x1800010de
0x1800010e8
0x1800010ed
0x1800010f3
0x1800010fd
0x180001103
0x180001107
0x18000110f
0x180001114
0x18000111a
0x180001123
0x18000112a
0x180001130
0x18000113b
0x180001148
0x18000114e
0x180001152
0x180001155
0x18000115a
0x180001162
0x180001168
0x18000116f
0x180001185
0x180001193
0x180001197
0x1800011a5
0x1800011a9
0x1800011ae
0x1800011b8
0x1800011bf
0x1800011c8
0x1800011d4
0x1800011df
0x1800011e5
0x1800011ea
0x1800011ef
0x1800011f4
0x1800011f6
0x180001204
0x180001214
0x180001216
0x180001224
0x180001243

APIs

Part of subcall function 0000000180001688: GetCommandLineA.KERNEL32(?,?,?,?,?,0000000180001071), ref: 000000018000169D

Part of subcall function 00000001800012BC: CreateFileA.KERNEL32 ref: 00000001800012F1

GetLastError.KERNEL32 ref: 000000018000108C
GetProcessHeap.KERNEL32 ref: 000000018000111A
HeapAlloc.KERNEL32 ref: 000000018000112A
GetProcessHeap.KERNEL32 ref: 00000001800011F6
HeapFree.KERNEL32 ref: 0000000180001204

Strings

@, xrefs: 000000018000128A
C:\Users\user\Desktop\ijexogdf64.dll, xrefs: 0000000180001252

Memory Dump Source

Source File: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.244829729.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244838553.0000000180002000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244842939.0000000180003000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocCommandCreateErrorFileFreeLastLine
String ID: @$C:\Users\user\Desktop\ijexogdf64.dll
API String ID: 3306398369-3727859140
Opcode ID: 37e6d1a6bd61851543567811daaf37c24ed177b5ee092c65ccdc5420a2f6a0eb
Instruction ID: edb68f4d90fcc4c612c9dfadceab7a85852652e7e7ff21404a576820c97af2f2
Opcode Fuzzy Hash: 37e6d1a6bd61851543567811daaf37c24ed177b5ee092c65ccdc5420a2f6a0eb
Instruction Fuzzy Hash: 90619372205B84CAEBA6CF21E4443D97761F78C7D9F488221EB8957A99DF38C74AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800014A0 Relevance: 4.6, APIs: 3, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E000000011800014A0(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				long long _t40;
				void* _t44;
				long long* _t55;
				long long _t63;
				CHAR* _t66;

				_t40 = _t63;
				 *((long long*)(_t40 + 8)) = __rbx;
				 *((long long*)(_t40 + 0x10)) = __rbp;
				 *((long long*)(_t40 + 0x18)) = __rsi;
				 *((long long*)(_t40 + 0x20)) = __rdi;
				if ( *((intOrPtr*)(__rdx + 0x10)) == 0) goto 0x8000154e;
				_t44 = __rbx + __rcx;
				if ( *((intOrPtr*)(_t44 + 0xc)) == 0) goto 0x8000154e;
				LoadLibraryA(_t66);
				if (_t40 == 0) goto 0x80001544;
				if ( *((intOrPtr*)(_t44 + 0x10)) != 0) goto 0x800014ef;
				_t55 = __rdi + __rcx;
				goto 0x80001536;
				if (_t40 >= 0) goto 0x80001505;
				goto 0x8000150c;
				GetProcAddress(??, ??);
				if (_t40 == 0) goto 0x80001544;
				if ( *((intOrPtr*)(_t44 + 0x10)) == 0) goto 0x80001525;
				 *_t55 = _t40;
				goto 0x8000152f;
				 *((long long*)(__rbp + _t40 + __rcx)) = _t40;
				if ( *((intOrPtr*)(_t55 + 8)) != 0) goto 0x800014f8;
				goto 0x800014cc;
				GetLastError();
				goto 0x80001553;
				return 1;
			}

0x1800014a0
0x1800014a3
0x1800014a7
0x1800014ab
0x1800014af
0x1800014c0
0x1800014c9
0x1800014d1
0x1800014d8
0x1800014e4
0x1800014eb
0x1800014f1
0x1800014f6
0x1800014fe
0x180001503
0x18000150c
0x180001518
0x18000151e
0x180001520
0x180001523
0x18000152a
0x18000153c
0x180001542
0x180001544
0x18000154c
0x18000156d

APIs

LoadLibraryA.KERNEL32(?,?,?,0000000180001447), ref: 00000001800014D8
GetProcAddress.KERNEL32(?,?,?,0000000180001447), ref: 000000018000150C
GetLastError.KERNEL32(?,?,?,0000000180001447), ref: 0000000180001544

Memory Dump Source

Source File: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.244829729.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244838553.0000000180002000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244842939.0000000180003000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID:
API String ID: 3511525774-0
Opcode ID: 79ae648c620947bd08369dc5fe77ed55b75f399bff2a9fb6986f004473391dde
Instruction ID: 64a7af8ad88c2c3b96373083f28d5d138c6f990d5ec75d668333d391b74bbb62
Opcode Fuzzy Hash: 79ae648c620947bd08369dc5fe77ed55b75f399bff2a9fb6986f004473391dde
Instruction Fuzzy Hash: 15213271701B48CBEB9ACB1598443E872E1FB4CBC6F04C415EA1A4B784DF38D659C710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800012BC Relevance: 12.1, APIs: 8, Instructions: 68memoryfileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00000001800012F1
GetFileSize.KERNEL32 ref: 000000018000130C
GetProcessHeap.KERNEL32 ref: 000000018000131B
HeapAlloc.KERNEL32 ref: 000000018000132D
ReadFile.KERNEL32 ref: 000000018000134E
GetProcessHeap.KERNEL32 ref: 000000018000136B
HeapFree.KERNEL32 ref: 0000000180001379
CloseHandle.KERNEL32 ref: 0000000180001384

Memory Dump Source

Source File: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.244829729.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244838553.0000000180002000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244842939.0000000180003000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$File$Process$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 3250796435-0
Opcode ID: 8a1d482df51977014dd727990c7250e65c850332ea86aba0de0c0d4bb6bdac1d
Instruction ID: f60ffbd99cf11e45288eb7afa630b804957ff5650f430d5521e5d15354dff841
Opcode Fuzzy Hash: 8a1d482df51977014dd727990c7250e65c850332ea86aba0de0c0d4bb6bdac1d
Instruction Fuzzy Hash: E1215C32704B5886FB92CF26A80439976A5BB8DFE1F05C115EE1943BA1DF38C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001658 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 000000018000166E
GetLastError.KERNEL32 ref: 0000000180001678

Strings

C:\Users\user\Desktop\ijexogdf64.dll, xrefs: 0000000180001667

Memory Dump Source

Source File: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.244829729.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244838553.0000000180002000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.244842939.0000000180003000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorFileLastModuleName
String ID: C:\Users\user\Desktop\ijexogdf64.dll
API String ID: 2776309574-1601156872
Opcode ID: 9d9b05e47c826fc21c88ac6377e472fa158e23e895d5d211de74082a9615c76a
Instruction ID: d515e6b97e8712b693a122997f0648c0367dba3bf5d74b011ae3cc4b5a11ad40
Opcode Fuzzy Hash: 9d9b05e47c826fc21c88ac6377e472fa158e23e895d5d211de74082a9615c76a
Instruction Fuzzy Hash: DAD0C970B1460882FAA2A7669C853C43254B75C7C6F84C051E444412A4EE6A879DC700

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	00:28:03
Start date:	12/08/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\ijexogdf64.dll"
Imagebase:	0x7ff79b990000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	1
Start time:	00:28:04
Start date:	12/08/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1
Imagebase:	0x7ff7bb450000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	00:28:04
Start date:	12/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,JdXfbK
Imagebase:	0x7ff7b21b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	00:28:04
Start date:	12/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",#1
Imagebase:	0x7ff7b21b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000003.00000002.244835062.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_IcedID_6, Description: Yara detected IcedID, Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_IcedID_91562d18, Description: unknown, Source: 00000003.00000002.244948572.0000018E2E579000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Target ID:	4
Start time:	00:28:07
Start date:	12/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,MDlQdmktXg
Imagebase:	0x7ff7b21b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Name	Malicious	Antivirus Detection	Reputation
peranistaer.top	true	16%, Virustotal, Browse Avira URL Cloud: safe	unknown
ultomductingbig.pro	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
klareqvino.com	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
gruvihabralo.nl	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

Target ID:	7
Start time:	00:28:11
Start date:	12/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\ijexogdf64.dll,VejwwBbES
Imagebase:	0x7ff7b21b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	9
Start time:	00:28:14
Start date:	12/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",JdXfbK
Imagebase:	0x7ff7b21b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	10
Start time:	00:28:15
Start date:	12/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\ijexogdf64.dll",MDlQdmktXg
Imagebase:	0x7ff7b21b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ijexogdf64.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: IcedID

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 5140, Parent PID: 5292

General

Chronological Activities

Analysis Process: cmd.exePID: 5248, Parent PID: 5140

General

Windows Analysis Report
ijexogdf64.dll

Function 00007FFFF0316111 Relevance: 40.5, APIs: 2, Strings: 21, Instructions: 271
nativeCOMMON

Function 0000000180001688 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47
stringCOMMON

Function 0000018E30360000 Relevance: 6.7, APIs: 4, Instructions: 735
memorylibraryCOMMON

Function 00007FFFF031380C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
COMMON

Function 0000000180001000 Relevance: 4.5, APIs: 3, Instructions: 15
threadCOMMON

Function 00007FFFF0312CC5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116
libraryCOMMON

Function 00007FFFF0313729 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Function 0000000180001044 Relevance: 16.7, APIs: 9, Strings: 2, Instructions: 151
memoryCOMMON

Function 00000001800014A0 Relevance: 4.6, APIs: 3, Instructions: 65
libraryloaderCOMMON