Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-s48daahc6v
Target 5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf_JC.vbs
SHA256 5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf

Threat Level: Known bad

The file 5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf_JC.vbs was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 15:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 15:41

Reported

2023-10-16 11:31

Platform

win7-20230831-en

Max time kernel

121s

Max time network

157s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\CLSID\{F2EA62E7-3952-C21A-DC49-08FFAA9BB9BC} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\CLSID\{F2EA62E7-3952-C21A-DC49-08FFAA9BB9BC}\ = eae2f9ed0629d67269b606160527dfeaf047b86d847ae9dc137946b753cbd2a8c5ba55244d496dcc6ae4fa17d7cbb39f0de440c2cabddfb5c4c769158492f3115c15a1719cea1544c9c5eff96b45f554e97670cd34e5c3e7ed4483a25dec0f9a5a462a13e5c5e7695a3e6d0818bd041ac0c71dce920662196d7c2098bb2548e3a20d75b51432f7df3f515330dc0c53435ecf1a27ba1ee0343cd89485c276ea71b388331ef9d0ae8385325d265057a29ab64854cff9313ddb948542b68a017b2c4117040543c20b682bdc02f869b4132d2548c547e67d274faf1fb700faebe1a73c71d61862345046c418fd6cff1eec6be81665b3957a8aec723348536e914cde00ea69b09c2fc964fe1fed68e8166533d59a9a1c C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0370-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 skrechelres.com udp
US 8.8.8.8:53 skrechelres.com udp
RU 77.105.142.135:443 skrechelres.com tcp

Files

C:\windows\Temp\0370-1.dll

MD5 bf15a998fd84bee284ae9f7422bda640
SHA1 e51217efb6e33fca9f7c5f51e5c3a4ae50499a37
SHA256 fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
SHA512 d7506cb1f7906fd9fb4a06904ed929c4cc187396e40d477b83945d7035e45f03237270abe3f6bcf8f3e6f54bb99392fc069f0582667e2bb6ad8d80f91a11f968

\Windows\Temp\0370-1.dll

MD5 bf15a998fd84bee284ae9f7422bda640
SHA1 e51217efb6e33fca9f7c5f51e5c3a4ae50499a37
SHA256 fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
SHA512 d7506cb1f7906fd9fb4a06904ed929c4cc187396e40d477b83945d7035e45f03237270abe3f6bcf8f3e6f54bb99392fc069f0582667e2bb6ad8d80f91a11f968

memory/2384-3-0x00000000002B0000-0x00000000002BD000-memory.dmp

memory/2384-4-0x00000000002B0000-0x00000000002BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9639.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2384-22-0x00000000002B0000-0x00000000002BD000-memory.dmp

\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Roaming\Admin\{0EA336B5-B204-FD88-8E52-BB098885899E}\Ihivacmd64.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2740-29-0x0000000000290000-0x00000000002DF000-memory.dmp

memory/2740-30-0x0000000000450000-0x000000000049C000-memory.dmp

memory/2740-35-0x0000000000450000-0x000000000049C000-memory.dmp

memory/2740-36-0x0000000000450000-0x000000000049C000-memory.dmp

memory/2740-37-0x0000000000290000-0x00000000002DF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cedcd223240d814004bdfcd0a047bcc1
SHA1 b17e77246168a19773acf05e153fd4339d4f6404
SHA256 39296d9d6eb8674f2f72387cd3d7710f03cf1451220e97a38715e88de4a53b68
SHA512 94067de49174118e08bd59a2c282755c266eeb1a942931e0f037c0035ea47961ea73b0ea683ed3890123649c08a84ab52dbd81cc5f06a890180953d3bc69e05e

C:\Users\Admin\AppData\Local\Temp\TarBBC2.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2740-56-0x0000000000450000-0x000000000049C000-memory.dmp

memory/2740-57-0x0000000000450000-0x000000000049C000-memory.dmp

memory/2740-59-0x0000000000450000-0x000000000049C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 15:41

Reported

2023-10-16 11:30

Platform

win10v2004-20230915-en

Max time kernel

131s

Max time network

136s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{176999F7-E272-84DF-DB27-26AC523859D9} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{176999F7-E272-84DF-DB27-26AC523859D9}\ = dd68b2071b2cd7716936c676f50f2b408d921192023b9604b70bcfcacabe99545f6f6ede68fa934ba85b8253b5bad4034bc7b01a2eafd4b9ba52a42a025f4cd57e2289fdde0b841fbd5324472c29ab337b0d24a32b630204bdec2fcc0c0552bd2adeee71b62dfb6f5b3d6d08183d443a30df194c5327914149ce1b1c7982f85bd617c21f7f609ec238515330dc8c13e36eb70eade5e8f5bf72b70af08b0db00478aa82f7d46dcf72224edbe570274ac66471d70166755fc89c3934ab7d2bc01e78609e42e1f173bc01e3f461ae16e0b5f1f2fe313ddb14c5e2465255a10ff7bca8b7f56abb13622d48da1c7d7653c307a6f774aa0003d19a39cf12c655a335395245255e453a505778dc8b9be012e7f274d5facc C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 3992 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 2604 wrote to memory of 3992 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 3992 wrote to memory of 2192 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 3992 wrote to memory of 2192 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 3924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2192 wrote to memory of 3924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0370-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{CFDD64AA-57CC-7A94-1CE4-2A6300131F4F}\Admin\edotumacii3.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\{CFDD64AA-57CC-7A94-1CE4-2A6300131F4F}\Admin\edotumacii3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 evinakortu.com udp
BG 94.232.46.27:443 evinakortu.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
US 8.8.8.8:53 jerryposter.com udp
RU 77.105.140.181:443 jerryposter.com tcp
US 8.8.8.8:53 181.140.105.77.in-addr.arpa udp

Files

C:\windows\Temp\0370-1.dll

MD5 bf15a998fd84bee284ae9f7422bda640
SHA1 e51217efb6e33fca9f7c5f51e5c3a4ae50499a37
SHA256 fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
SHA512 d7506cb1f7906fd9fb4a06904ed929c4cc187396e40d477b83945d7035e45f03237270abe3f6bcf8f3e6f54bb99392fc069f0582667e2bb6ad8d80f91a11f968

C:\Windows\Temp\0370-1.dll

MD5 bf15a998fd84bee284ae9f7422bda640
SHA1 e51217efb6e33fca9f7c5f51e5c3a4ae50499a37
SHA256 fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d
SHA512 d7506cb1f7906fd9fb4a06904ed929c4cc187396e40d477b83945d7035e45f03237270abe3f6bcf8f3e6f54bb99392fc069f0582667e2bb6ad8d80f91a11f968

memory/3992-4-0x00000000008F0000-0x00000000008FD000-memory.dmp

memory/3992-8-0x00000000008F0000-0x00000000008FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\{CFDD64AA-57CC-7A94-1CE4-2A6300131F4F}\Admin\edotumacii3.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Roaming\{CFDD64AA-57CC-7A94-1CE4-2A6300131F4F}\Admin\edotumacii3.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/3924-12-0x0000012EAB8C0000-0x0000012EAB90F000-memory.dmp

memory/3924-13-0x0000012EAD260000-0x0000012EAD2AC000-memory.dmp

memory/3924-18-0x0000012EAD260000-0x0000012EAD2AC000-memory.dmp

memory/3924-19-0x0000012EAD260000-0x0000012EAD2AC000-memory.dmp

memory/3924-20-0x0000012EAB8C0000-0x0000012EAB90F000-memory.dmp

memory/3924-22-0x0000012EAD260000-0x0000012EAD2AC000-memory.dmp

memory/3924-23-0x0000012EAD260000-0x0000012EAD2AC000-memory.dmp

memory/3924-25-0x0000012EAD260000-0x0000012EAD2AC000-memory.dmp