IcedID malware analysis<\/strong><\/h2>\n\n\n\nDuring the execution of a task ANY.RUN provides interactive access <\/a>to the virtual machine. And when the task has been completed, either screenshots or videos are available. So you can view what is happening when the malware becomes active.
<\/p>\n\n\n\nThe first sample<\/a> comes from a malicious Office Excel document. In this case, we just see an Excel opening and a prompt to enable editing and content, typical of malicious Office documents. One sign of possible malicious content is poor grammar and spelling mistakes, and here we see that button is misspelled as \u201cbytton.\u201d<\/p>\n\n\n\n![\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2021\/07\/imgonline-com-ua-AutoEnrich-KW5AcPq4c2Zu-1-1024x578.jpg\")
<\/figure>\n\n\n\nThe panel on the right side displays a process tree, beginning with the initial process and continuing with all further spawned processes to get an overview of what is happening. In this example, Excel spawns three Rundll32.exe processes, which can be seen in the picture below.<\/p>\n\n\n
\n![\"Process](\"https:\/\/lh6.googleusercontent.com\/gAkwmhrsj7hiER7IxtpGU8jFTSLbsDRlH3k0lEbsE2oLPmlZAyfrIHgUOdqoRf0piUPem6u7SqEH2kfQS2oHGV-ta9EwmB6zqF3ZbVIegb5dYUoHFrE1wWwBclbMADNwmPC43qQ\")
<\/figure><\/div>\n\n\nThe bottom panel has network information such as HTTP Requests, Connections, DNS Requests, and Threats (IDS alerts). A great feature of ANY.RUN is that network activity is displayed in real-time. You don\u2019t have to wait for malware to finish detonation and a final summary report to be created to begin to see IOCs and other helpful information.<\/p>\n\n\n\n![\"Networking](\"https:\/\/lh3.googleusercontent.com\/Ysa6oYh5ZYBF4KtvdzMshxOJfUBd8hJHXXYWTnPyncXx35bQvp2Q3WA8EuPLNt_Y2WEiKMS0vRWt2mqV8s1kSSjQp0ZuJObmXlyDm6CcE25YKemTYsUIubwdF63c-3y23T_KIpI\")
<\/figure>\n\n\n\nOne important IOC is URLs that the malware is attempting to connect to. Under the HTTP Request <\/em>tab, we can see to whom requests are being made, the location of the address, and the process name and ID. We can see that Excel is making multiple requests for executable files, which is suspicious. The requests are also going to dotted-quad IP addresses instead of a typical web address, like www.google.com, which is uncommon. You can click on the \u201cexecutable\u201d cell under the Content tab to see the actual request and response data.
<\/p>\n\n\n\n![\"Response](\"https:\/\/lh4.googleusercontent.com\/vhstkc3qfA_yyHX4jtaBdY774kGjXzb_b-7PrSCwHIe_qhypa082yJXj0ELWaVn0TBJW54XCEm1Tfu7APo85X9kwcfMdPEkIwxCag1WAzyu3WGg2pp7y3sySXH13rKLA62Teync\")
<\/figure>\n\n\n\nYou can see summary data as well as hash values. Under the data section, you can clearly see the \u201cmagic number\u201d MZ, which indicates that this is a PE file. Looking back at the requests, the newly created processes try to request additional files from hxxp:\/\/630mordorebiter[.]website\/, which were not successful in this case but are still recognized as malicious sites. Looking under the Threat tab, you can see all the alerts generated by Suricata<\/a>.
<\/p>\n\n\n\n![\"Suricata](\"https:\/\/lh4.googleusercontent.com\/iVMVQAnrH_TMPekaAILazHrL-7yMP47brczIIcmgTd0uUFMjPvTH4YYXvilZN4MP74ABjyy2dZNVWNrsizx6Umbh4xzOsjDExF4UeXWXVbPMiYWdqUC-rMYeATvQIQJSSVBgDhE\")
<\/figure>\n\n\n\nAs we noticed earlier, Excel is downloading a PE file, and the request addresses are dotted quads, both of which were detected by Suricata. Also, the two additional rundll32 processes that were spawned were recognized as malware, specifically, IcedID<\/a>, which were trying to download other content from hxxp:\/\/630mordorebiter[.]website\/. Looking at the DNS request and Connections tab will give you more detailed network information if you desire.
<\/p>\n\n\n\nIn the upper right-hand corner of the website, you will find summary information such as file name, hashes, malware type, and environment run-time. Also, you can download the sample and get a list of all the IOCs in one place, which is convenient. All of these services are free. Some, like sample downloads, require an account, but again, all free.<\/p>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/screenshot20210101.png\")
<\/figure>\n\n\n\nIOCs<\/strong>
<\/h3>\n\n\n\n![\"Summary](\"\/cybersecurity-blog\/wp-content\/uploads\/2021\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2021-07-15-\u0432-09.33.51-1024x773.png\")
<\/figure>\n\n\n\nDridex malware analysis<\/strong><\/h2>\n\n\n\nThe next sample <\/a>is another Excel document. It claims to be a \u201creport\u201d but is very small and hard to read, probably done on purpose. Even though a button is intended to incite action from the user, the macros are still executed when the document is opened and content-enabled. These social engineering techniques are used to add more perceived credibility to the document.<\/p>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/screenshot715.png\")
<\/figure>\n\n\n\nThe process tree shows Excel launches wmic.exe, which in turn launches rundll32, which is used to run fnb5b.dll.<\/p>\n\n\n\n![\"Processes](\"https:\/\/lh3.googleusercontent.com\/MbcB5l20S9UeuSOfOaeRFtzCjjhs9A69Y5d1Wr9dovymrEJHMhYwrIEE-s0P49kCRrONWs7V4qxT-EFiNQfzrssRBc3lqN_5HKBQNVSYlFYnT5t_ioMiCQFXJ4tU2c041eNK-A4\")
<\/figure>\n\n\n\nUnder the HTTP Requests tab, we can see that wmic.exe, spawned by the Excel doc, makes a GET request to hxxp:\/\/pbotv[.]tv\/to presumably download a PHP file, which seems suspicious.
<\/p>\n\n\n\n![\"HTTP](\"https:\/\/lh3.googleusercontent.com\/eh2CXclH9iA1vW14RmxAUeCbdZTJci414gy1_vvZLMOlvX-nuiSagONdWIRxYX39bxtGPnlUfxN8O29CoTzHFopyawb_63WHfLVVgnPbSeMGLUzKBq02bgxBUmYK41isN0-12yw\")
<\/figure>\n\n\n\nTo dig a little deeper, we can click the icon under the \u201cContent\u201d tab of the same request and ANY.RUN will provide the contents of the download.<\/p>\n\n\n\n![\"Content](\"https:\/\/lh6.googleusercontent.com\/cvwA-iRJhBZfXDU6K38VVgMVQ3Ig_76NMB8LFnjQoHSxbUEFaZkBgZH3md_s3rowc96RzL0ojYmsObrv4OsUMPD_7RicMDidty_K-z2G2oLlRUxF9Zt35_W02L_UUUv7sEE0TF4\")
<\/figure>\n\n\n\nAs you can see, the file is actually identified as a DOS executable, which we can verify in the hex data with the \u201cmagic\u201d MZ and the \u201cDOS mode\u201d text. This process then uses rundll32 to execute the downloaded PE file, making two more GET requests. You can click directly on the process in the process tree or under the HTTP Request tab to view more details. ANY.RUN supplies a threat score, which is 100\/100 here, and lists specific threats below.<\/p>\n\n\n\n![\"Threat](\"https:\/\/lh3.googleusercontent.com\/-FVmlUfwsPzl3os6YvZKmivs6LZyWu7Sqpf6UY-khpWTGO8aJryn2s6pRLeC20lv_Mv59Tl_t_KbZjdYGGTka-7-2Ugilyq9DtCkGhSeHRgi5798m9va0OcWTTvfgj2asM2L1Ig\")
<\/figure>\n\n\n\nLastly, under the Threats tab, we are given the specific alerts that were triggered in Suricata. Here, wmlc.exe downloads a PE file via HTTP Get request. Then rundll32 executes a dll which is explicitly recognized as Dridex malware<\/a>. Again, the Connections and DNS Requests tabs will give more details if desired.<\/p>\n\n\n\n![\"Suricata](\"https:\/\/lh5.googleusercontent.com\/xbKLGKT82LHCE3gkyzmZUfU3AupRAK-ir0hIBFpsWDOD-1Jdykiin44FpXEw9t9VbsP1SvBXfjxSC8tIqJMrhBxeITbvXSNf2ViMQ_fsF9mGUW5dNgTRSX5IO7Rh-2oCH0iz6-4\")
<\/figure>\n\n\n\nIOCs<\/strong><\/h2>\n\n\n\nhttp:\/\/pbotv.tv\/wp-content\/plugins\/sg-cachepress\/vendor\/a5hleyrich\/y8UzX1Zf0ZWtO.php<\/p>\n\n\n\n
pbotv.tv<\/p>\n\n\n\n
C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\6Z2BCOUL\\y8UzX1Zf0ZWtO[1].php<\/p>\n\n\n\n
35.214.243.127<\/p>\n\n\n\n
77.220.64.140<\/p>\n\n\n\n
8.253.204.120<\/p>\n\n\n\n
8.4.9.152 <\/p>\n\n\n\n
sha256\t 23c625b550dea7fb8847a4c34f931181066e18a97ea40d3018d6a1f77ece9772 <\/p>\n\n\n\n
sha1 d6be6c4b01e1690923b06253783c79ce3b352e14 <\/p>\n\n\n\n
Sample 1: <\/strong>https:\/\/app.any.run\/tasks\/e65f0c6d-3754-4a30-a09f-e2ecfbfaeaae\/<\/a><\/p>\n\n\n\nMD5 4cd507abe0d01f83a133f7bd8e9f8915
<\/p>\n\n\n\n
<\/p>\n\n\n\n
The first sample<\/a> comes from a malicious Office Excel document. In this case, we just see an Excel opening and a prompt to enable editing and content, typical of malicious Office documents. One sign of possible malicious content is poor grammar and spelling mistakes, and here we see that button is misspelled as \u201cbytton.\u201d<\/p>\n\n\n\n The panel on the right side displays a process tree, beginning with the initial process and continuing with all further spawned processes to get an overview of what is happening. In this example, Excel spawns three Rundll32.exe processes, which can be seen in the picture below.<\/p>\n\n\n The bottom panel has network information such as HTTP Requests, Connections, DNS Requests, and Threats (IDS alerts). A great feature of ANY.RUN is that network activity is displayed in real-time. You don\u2019t have to wait for malware to finish detonation and a final summary report to be created to begin to see IOCs and other helpful information.<\/p>\n\n\n\n One important IOC is URLs that the malware is attempting to connect to. Under the HTTP Request <\/em>tab, we can see to whom requests are being made, the location of the address, and the process name and ID. We can see that Excel is making multiple requests for executable files, which is suspicious. The requests are also going to dotted-quad IP addresses instead of a typical web address, like www.google.com, which is uncommon. You can click on the \u201cexecutable\u201d cell under the Content tab to see the actual request and response data. You can see summary data as well as hash values. Under the data section, you can clearly see the \u201cmagic number\u201d MZ, which indicates that this is a PE file. Looking back at the requests, the newly created processes try to request additional files from hxxp:\/\/630mordorebiter[.]website\/, which were not successful in this case but are still recognized as malicious sites. Looking under the Threat tab, you can see all the alerts generated by Suricata<\/a>. As we noticed earlier, Excel is downloading a PE file, and the request addresses are dotted quads, both of which were detected by Suricata. Also, the two additional rundll32 processes that were spawned were recognized as malware, specifically, IcedID<\/a>, which were trying to download other content from hxxp:\/\/630mordorebiter[.]website\/. Looking at the DNS request and Connections tab will give you more detailed network information if you desire. In the upper right-hand corner of the website, you will find summary information such as file name, hashes, malware type, and environment run-time. Also, you can download the sample and get a list of all the IOCs in one place, which is convenient. All of these services are free. Some, like sample downloads, require an account, but again, all free.<\/p>\n\n\n\n The next sample <\/a>is another Excel document. It claims to be a \u201creport\u201d but is very small and hard to read, probably done on purpose. Even though a button is intended to incite action from the user, the macros are still executed when the document is opened and content-enabled. These social engineering techniques are used to add more perceived credibility to the document.<\/p>\n\n\n\n The process tree shows Excel launches wmic.exe, which in turn launches rundll32, which is used to run fnb5b.dll.<\/p>\n\n\n\n Under the HTTP Requests tab, we can see that wmic.exe, spawned by the Excel doc, makes a GET request to hxxp:\/\/pbotv[.]tv\/to presumably download a PHP file, which seems suspicious. To dig a little deeper, we can click the icon under the \u201cContent\u201d tab of the same request and ANY.RUN will provide the contents of the download.<\/p>\n\n\n\n As you can see, the file is actually identified as a DOS executable, which we can verify in the hex data with the \u201cmagic\u201d MZ and the \u201cDOS mode\u201d text. This process then uses rundll32 to execute the downloaded PE file, making two more GET requests. You can click directly on the process in the process tree or under the HTTP Request tab to view more details. ANY.RUN supplies a threat score, which is 100\/100 here, and lists specific threats below.<\/p>\n\n\n\n Lastly, under the Threats tab, we are given the specific alerts that were triggered in Suricata. Here, wmlc.exe downloads a PE file via HTTP Get request. Then rundll32 executes a dll which is explicitly recognized as Dridex malware<\/a>. Again, the Connections and DNS Requests tabs will give more details if desired.<\/p>\n\n\n\n http:\/\/pbotv.tv\/wp-content\/plugins\/sg-cachepress\/vendor\/a5hleyrich\/y8UzX1Zf0ZWtO.php<\/p>\n\n\n\n pbotv.tv<\/p>\n\n\n\n C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\6Z2BCOUL\\y8UzX1Zf0ZWtO[1].php<\/p>\n\n\n\n 35.214.243.127<\/p>\n\n\n\n 77.220.64.140<\/p>\n\n\n\n 8.253.204.120<\/p>\n\n\n\n 8.4.9.152 <\/p>\n\n\n\n sha256\t 23c625b550dea7fb8847a4c34f931181066e18a97ea40d3018d6a1f77ece9772 <\/p>\n\n\n\n sha1 d6be6c4b01e1690923b06253783c79ce3b352e14 <\/p>\n\n\n\n Sample 1: <\/strong>https:\/\/app.any.run\/tasks\/e65f0c6d-3754-4a30-a09f-e2ecfbfaeaae\/<\/a><\/p>\n\n\n\n MD5 4cd507abe0d01f83a133f7bd8e9f8915<\/figure>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n<\/figure>\n\n\n\nIOCs<\/strong>
<\/h3>\n\n\n\n<\/figure>\n\n\n\nDridex malware analysis<\/strong><\/h2>\n\n\n\n
<\/figure>\n\n\n\n
<\/p>\n\n\n\nIOCs<\/strong><\/h2>\n\n\n\n
<\/p>\n\n\n\n