Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-s2tgcabc56
Target 51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db_JC.vbs
SHA256 51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db

Threat Level: Known bad

The file 51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db_JC.vbs was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 15:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 15:37

Reported

2023-10-16 10:15

Platform

win7-20230831-en

Max time kernel

140s

Max time network

159s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0317-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\Udedacui.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Admin\Udedacui.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 jkbarmossen.com udp
US 173.255.204.62:443 jkbarmossen.com tcp
US 8.8.8.8:53 evinakortu.com udp
BG 94.232.46.27:443 evinakortu.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp

Files

C:\windows\Temp\0317-1.dll

MD5 bb7da19e0399724519724d44d7c331c7
SHA1 b10fb1c24b1d4187e24ee1be76b6247b862b214c
SHA256 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
SHA512 b68e3f3fec30cac41a11a939e0a5e9db2e45574cb31201fb9dd92657cd03edc060df4f7026ce2f1d9617b48ac88769dcb67958aea040684e661be82d0f8f3fd9

\Windows\Temp\0317-1.dll

MD5 bb7da19e0399724519724d44d7c331c7
SHA1 b10fb1c24b1d4187e24ee1be76b6247b862b214c
SHA256 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
SHA512 b68e3f3fec30cac41a11a939e0a5e9db2e45574cb31201fb9dd92657cd03edc060df4f7026ce2f1d9617b48ac88769dcb67958aea040684e661be82d0f8f3fd9

memory/2040-3-0x0000000000130000-0x000000000013D000-memory.dmp

memory/2040-4-0x0000000000130000-0x000000000013D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab90EC.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2040-22-0x0000000000130000-0x000000000013D000-memory.dmp

memory/2040-23-0x0000000000130000-0x000000000013D000-memory.dmp

\Users\Admin\AppData\Local\Admin\Udedacui.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\Udedacui.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\Udedacui.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\Udedacui.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Local\Admin\Udedacui.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2864-30-0x0000000000110000-0x000000000015F000-memory.dmp

memory/2864-31-0x00000000005F0000-0x000000000063C000-memory.dmp

memory/2864-36-0x00000000005F0000-0x000000000063C000-memory.dmp

memory/2864-37-0x00000000005F0000-0x000000000063C000-memory.dmp

memory/2864-38-0x0000000000110000-0x000000000015F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 15:37

Reported

2023-10-16 10:18

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{77C6D694-E92A-D702-B889-F88C503F6DD8} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{77C6D694-E92A-D702-B889-F88C503F6DD8}\ = 838d275cefba9cdfa61af89344b81736961452b013221d4ad8d77903298cb067e5ca3d38bbe096ce6bfbf28b819059c22a56fb86688a67017e7093824e7dddec4d1c2eafa9dfaee29a631ce37e5e7f19862a969caf21257425a80d7fb4c1b0aa22d2e08ca32074a1f6c0b86157435d3fb39d789d6aa25ceef5b842eb5371526663ae05fde828729c1d6028544ec38f254b44a651e7e96af79ea98db2e8fd285022cf974ca033385851a486b4898434c164f19721568d7bba037d56b805ff6ea18e7909f81ae7f870af9ea18831c0797edf8d18a0f2772a4023a1823dcd11c6552375d49ba21460ae08fa6c2512c17ab25be0fe652ebe6463ae853dc8d85aa0f47d3b40cf8a2656d23bbc1be3343c58d4e5929e9e C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 996 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 4976 wrote to memory of 1156 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 4976 wrote to memory of 1156 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 1156 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1156 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51215d7d543fa28d5327e31002069f37a17cbed4b539bbf437d3a56cf906d3db_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0317-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\{B6BFE9CC-4ABB-6F4E-1364-D4A8B6D191D0}\adjinaacoc3.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\{B6BFE9CC-4ABB-6F4E-1364-D4A8B6D191D0}\adjinaacoc3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 jkbarmossen.com udp
US 173.255.204.62:443 jkbarmossen.com tcp
US 173.255.204.62:443 jkbarmossen.com tcp
US 8.8.8.8:53 62.204.255.173.in-addr.arpa udp
US 173.255.204.62:443 jkbarmossen.com tcp
US 8.8.8.8:53 evinakortu.com udp
BG 94.232.46.27:443 evinakortu.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
RU 77.105.142.135:443 skrechelres.com tcp
US 8.8.8.8:53 135.142.105.77.in-addr.arpa udp

Files

C:\windows\Temp\0317-1.dll

MD5 bb7da19e0399724519724d44d7c331c7
SHA1 b10fb1c24b1d4187e24ee1be76b6247b862b214c
SHA256 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
SHA512 b68e3f3fec30cac41a11a939e0a5e9db2e45574cb31201fb9dd92657cd03edc060df4f7026ce2f1d9617b48ac88769dcb67958aea040684e661be82d0f8f3fd9

C:\Windows\Temp\0317-1.dll

MD5 bb7da19e0399724519724d44d7c331c7
SHA1 b10fb1c24b1d4187e24ee1be76b6247b862b214c
SHA256 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
SHA512 b68e3f3fec30cac41a11a939e0a5e9db2e45574cb31201fb9dd92657cd03edc060df4f7026ce2f1d9617b48ac88769dcb67958aea040684e661be82d0f8f3fd9

memory/4976-4-0x0000000002BA0000-0x0000000002BAD000-memory.dmp

memory/4976-5-0x0000000002BA0000-0x0000000002BAD000-memory.dmp

memory/4976-7-0x0000000002BA0000-0x0000000002BAD000-memory.dmp

C:\Users\Admin\AppData\Local\{B6BFE9CC-4ABB-6F4E-1364-D4A8B6D191D0}\adjinaacoc3.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Local\{B6BFE9CC-4ABB-6F4E-1364-D4A8B6D191D0}\adjinaacoc3.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/1592-11-0x000001B5079C0000-0x000001B507A0F000-memory.dmp

memory/1592-12-0x000001B507A60000-0x000001B507AAC000-memory.dmp

memory/1592-17-0x000001B507A60000-0x000001B507AAC000-memory.dmp

memory/1592-18-0x000001B507A60000-0x000001B507AAC000-memory.dmp

memory/1592-19-0x000001B5079C0000-0x000001B507A0F000-memory.dmp

memory/1592-21-0x000001B507A60000-0x000001B507AAC000-memory.dmp

memory/1592-22-0x000001B507A60000-0x000001B507AAC000-memory.dmp

memory/1592-24-0x000001B507A60000-0x000001B507AAC000-memory.dmp