icudtd56.dll
This report is generated from a file or URL submitted to this webservice on February 21st 2023 23:28:10 (UTC)
Guest System: Windows 10 64 bit, Professional, 10.0 (build 16299),
Report generated by
Falcon Sandbox v9.5.9 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 4c63b11fe21fe56325770e96744af46399b7398c645d22e6a50c2fc350374211
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 4
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"2.1.19.83"
"2.1.19.14"
"2.1.19.90"
"2.1.19.75"
"2.1.19.73" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Security
-
Hooks API calls
- details
- "Wow64Transition@NTDLL.DLL" in "rundll32.exe"
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"rundll32.exe" wrote bytes "a0b77575c0857575c0b47575a0c47575" to virtual address "0x0018B05C" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "801fd175a05ad275e094d275d07bd275b01ed175d01dd175f0e3d475703fd27550facf75a080d075" to virtual address "0x75BDE138" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "d04c6b75d0156875a076687540186875" to virtual address "0x761AE190" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "f0766c75e0776c7540766c75f0756c7530786c7510156975b05e6c7580786c7590776c7590766c75605e6c7540776c75" to virtual address "0x761AE1D4" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "00705774" to virtual address "0x75DF3010" (part of module "WIN32U.DLL")
"rundll32.exe" wrote bytes "00705774" to virtual address "0x757C4EEC" (part of module "USER32.DLL")
"rundll32.exe" wrote bytes "f091ef77c0e675758086757560aa7575" to virtual address "0x0018B048" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "409b6975c09b6975" to virtual address "0x761AE1C8" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "00eb6875f0ea6875e00f6975e0ea6875900f697530eb6875b0eb6875f0db6875700e697570eb6875d0016975" to virtual address "0x761AE208" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "60cf7575" to virtual address "0x0018B080" (part of module "RUNDLL32.EXE")
"rundll32.exe" wrote bytes "907cd275002bd2750039d27570a2d275b0afd275708ccf755074cf75d0d0d47560afd2758080d275b084d275f05fd27530a3d275" to virtual address "0x75BDE060" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "8075697550786975600b6875f0746975b075697510296875e074697510756975500b687500756975" to virtual address "0x761AE144" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "50166975c0856875" to virtual address "0x761AE184" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "1032e97780eced77208aea7700000000" to virtual address "0x75DF3000" (part of module "WIN32U.DLL")
"rundll32.exe" wrote bytes "00705774" to virtual address "0x77F89218" ("Wow64Transition@NTDLL.DLL")
"rundll32.exe" wrote bytes "705bbc75906abc754037bc75f06bbc757068bc75d06abc75e045bc75e03abc75e068bc75b069bc75b06bbc75b055bc75506abc75b071bc75406bbc753069bc75806dbc75707abc759037bc75" to virtual address "0x75A1D000" (part of module "IMM32.DLL")
"rundll32.exe" wrote bytes "d07e6975f0826b75a0396875000e6975607b697550c7687550866b7560816b75d00669756080697550c0687520296875f01069755033687570326875103e6875802a687550cf6b75c039687570396875d039687590826975a07b6975" to virtual address "0x761AE238" (part of module "KERNELBASE.DLL")
"rundll32.exe" wrote bytes "309fd275f066d575702ad17520a4d2757023d175003bd2751060d275b05bd27500b0d275805bd275d081d275d00dd075" to virtual address "0x75BDE018" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "d05fcf75007ecf75905cd2754098d275e0a1cf752068d275d0d5cf75104ecf757034cf753071cf750031d2758074d2754012d2752042d275e0afd275" to virtual address "0x75BDE098" (part of module "GDI32.DLL")
"rundll32.exe" wrote bytes "7058d27540c5d4754082d275009ad5758078cf750073cf75d014d275707dcf75002dd1756076cf752077d275c07ccf75904fcf751066d2751036d275a07ed27570a2cf753036cf75" to virtual address "0x75BDE0D8" (part of module "GDI32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows installation language
- details
- "rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE"; Key: "INSTALLLANGUAGEFALLBACK")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1614.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Informative 14
-
Environment Awareness
-
Contains ability to read software policies
- details
-
"rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"rundll32.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/70 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
An application crash occurred
- details
- Report process "WerFault.exe" was created by "rundll32.exe"
- source
- Monitored Target
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\SM0:4504:168:WilStaging_02"
"Local\SM0:4504:168:WilStaging_02" - source
- Created Mutant
- relevance
- 3/10
-
Possibly use system binaries
- details
- Observed system executable string:"%WINDIR%\SysWOW64\WerFault.exe" [Source: 00000000-00004504-00000BC0-72609615]
- source
- File/Memory
- relevance
- 1/10
-
Process launched with changed environment
- details
-
Process "rundll32.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "rundll32.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "WerFault.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "WerFault.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "WerFault.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "WerFault.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "rundll32.exe" with commandline ""C:\icudtd56.dll",#1" (Show Process)
Spawned process "WerFault.exe" with commandline "-u -p 4504 -s 672" (Show Process)
Spawned process "WerFault.exe" with commandline "-u -p 4504 -s 672" (Show Process)
Spawned process "WerFault.exe" with commandline "-u -p 4504 -s 672" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "rundll32.exe" with commandline ""C:\icudtd56.dll",#1" (Show Process)
Spawned process "WerFault.exe" with commandline "-u -p 4504 -s 672" (Show Process)
Spawned process "WerFault.exe" with commandline "-u -p 4504 -s 672" (Show Process)
Spawned process "WerFault.exe" with commandline "-u -p 4504 -s 672" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
An application crash occurred
-
Installation/Persistence
-
Tries to access non-existent files (executable)
- details
- "rundll32.exe" trying to access non-existent file "%WINDIR%\System32\WOW64LOG.DLL"
- source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access non-existent files (non-executable)
- details
-
"rundll32.exe" trying to access non-existent file "C:\ICUDTD56.DLL.MANIFEST"
"rundll32.exe" trying to access non-existent file "C:\ICUDTD56.DLL.123.MANIFEST"
"rundll32.exe" trying to access non-existent file "C:\ICUDTD56.DLL.124.MANIFEST"
"rundll32.exe" trying to access non-existent file "C:\ICUDTD56.DLL.2.MANIFEST" - source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access non-existent files (executable)
-
Network Related
-
Found mail related domain names
- details
-
Observed email domain:"icudt56l/curr/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin]
Observed email domain:"icudt56l/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin]
Observed email domain:"icudt56l/lang/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin]
Observed email domain:"icudt56l/rbnf/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin]
Observed email domain:"icudt56l/region/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin]
Observed email domain:"icudt56l/unit/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin]
Observed email domain:"icudt56l/zone/es_mx.res" [Source: 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da.bin] - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1071.003 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
- details
- Pattern match: "aEa6a2a.aFa/aOa"
- source
- File/Memory
- relevance
- 10/10
-
Making HTTPS connections using secure TLS/SSL version
- details
- Connection was make using TLSv1.2 [tls.handshake.version: 0x00000303]
- source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Found mail related domain names
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EMPTY")
"rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
File Details
icudtd56.dll
- Filename
- icudtd56.dll
- Size
- 24MiB (25055232 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 609835a84baa4393a361dda498c653b49b06cee20348fddce69dc84b738ef3da
- MD5
- e3e5c4243a9ea81bde77fb74f41972a4
- SHA1
- 45902a479ecd6812a36d5ce680186d35565dcc73
Classification (TrID)
- 35.7% (.EXE) Win32 Executable (generic)
- 16.3% (.ICL) Windows Icons Library (generic)
- 16.1% (.EXE) OS/2 Executable (generic)
- 15.8% (.EXE) Generic Win/DOS Executable
- 15.8% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
-
<Ignored Process>
-
rundll32.exe
"C:\icudtd56.dll",#1
(PID: 4504)
- WerFault.exe -u -p 4504 -s 672 (PID: 2612)
- WerFault.exe -u -p 4504 -s 672 (PID: 3320)
- WerFault.exe -u -p 4504 -s 672 (PID: 6936)
-
rundll32.exe
"C:\icudtd56.dll",#1
(PID: 4504)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.