Analysis Overview
SHA256
5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca
Threat Level: Known bad
The file 5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.exe was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 15:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 15:43
Reported
2023-10-16 10:48
Platform
win7-20230831-en
Max time kernel
136s
Max time network
139s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\CLSID\{4254E45A-C9C2-6B17-47CD-F8DEB2E81452} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\CLSID\{4254E45A-C9C2-6B17-47CD-F8DEB2E81452}\ = e863384a76f1e2589a2c43b5d77e74a45f8995d461cb8e90eddefac148ff382387dbc4edd20fc81f52581c247198c514cf0551cb47e22b7fa755a02803505421d4590b3cf1f320ad82e75e40ae6603ff15e4b9628ad03af0678b3d4750734736f4e984623c708c05488718d12f1737a0f53c0b45de687f1c6c7fa0581b55c05fd8983e49d2af30fb8da89492a38c93234ec7e631b711ee2929dd1747232142dd1d792a8bc2645044a78d3dd678a388a797d9234bbb506a23505ba5e2a08c34d4e5a53bf199a59923573adf9f395ccfbbfcfb73fc9026d1645db68a017bac0137741d485d4347c882a68bb51099831be3b4fcf8e46d5e34cbe26b244d1979908c99a90f63a48ba78b6ec779329b80ae0d7248ade8 | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 2728 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 2304 wrote to memory of 2728 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 2304 wrote to memory of 2728 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 2728 wrote to memory of 2616 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2728 wrote to memory of 2616 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2728 wrote to memory of 2616 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | jkbarmossen.com | udp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 8.8.8.8:53 | evinakortu.com | udp |
| BG | 94.232.46.27:443 | evinakortu.com | tcp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | jerryposter.com | udp |
| RU | 77.105.140.181:443 | jerryposter.com | tcp |
Files
memory/2304-1-0x00000000001A0000-0x00000000001AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5F03.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2304-19-0x00000000001A0000-0x00000000001AD000-memory.dmp
\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
C:\Users\Admin\AppData\Roaming\ikvobd2\Admin\Ankukuacow64.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/2616-26-0x0000000000190000-0x00000000001DF000-memory.dmp
memory/2616-27-0x0000000001B80000-0x0000000001BCC000-memory.dmp
memory/2616-32-0x0000000001B80000-0x0000000001BCC000-memory.dmp
memory/2616-33-0x0000000001B80000-0x0000000001BCC000-memory.dmp
memory/2616-34-0x0000000000190000-0x00000000001DF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e13e718fa34cf1f2c710e3c08f1d0f41 |
| SHA1 | f28d593e021002256e42504050059b527d50569e |
| SHA256 | 8552345cc90be38ec80c5f5147657afa1493df2f625dab7645e7bc0c4e36947f |
| SHA512 | e88558513ddd972bf6ea828b1ea8ed7912c02c262f8e0320650c264eb24e84537dfcdadcac22722f2ba705c75b3f6986d93eda981c3709807b4b5759385a45b8 |
C:\Users\Admin\AppData\Local\Temp\Tar3959.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2616-54-0x0000000001B80000-0x0000000001BCC000-memory.dmp
memory/2616-55-0x0000000001B80000-0x0000000001BCC000-memory.dmp
memory/2616-57-0x0000000001B80000-0x0000000001BCC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 15:43
Reported
2023-10-16 10:47
Platform
win10v2004-20230915-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{2E57A065-100F-0007-0263-61A4BB5FA8DB} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{2E57A065-100F-0007-0263-61A4BB5FA8DB}\ = 891251994cd4730fbe1efa9044b81736165432202b5647adca4cad251ae6bde6a46b6cc16076cd9c9238ec0c4572c8898698966fb56bf64a92eec6dba523ca16de520141e4fe1f5bdf40ac9b3abc50e9aed6c03560cf2c692c25f22b1e8e1e630feb857db42c7a2e3a6e85148e646f543fdf990cb33789d50fede985bca18a02b105f9eb61671c0158c11b6cba19683740c898645a4e38908a93b80f0f4fcf1cfce863669d4261bf03ffe2e272a08a26d4b9f373bfd2ad03c09379847326c913c555a3b5fb76315f513bd01745ca82e41a6e2808c60dffeb9d16ba09f7f6f4a2bf33b70bea6826d30fc61afeb4f2f2feb1fdfbe46d5e344b224b542585cb59e7f3f4eef27fbf1170e884a7152f2ac360a3f1c865 | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 924 wrote to memory of 4228 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 924 wrote to memory of 4228 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 4228 wrote to memory of 1976 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 4228 wrote to memory of 1976 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5e3bb62b44636f502e387d4c00bd5a7bc1d040332028238ccd812f73e6d859ca_JC.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 12.104.18.212.in-addr.arpa | udp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| RU | 77.105.142.135:443 | skrechelres.com | tcp |
| US | 8.8.8.8:53 | 135.142.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/924-1-0x00000000027C0000-0x00000000027CD000-memory.dmp
memory/924-5-0x00000000027C0000-0x00000000027CD000-memory.dmp
C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
C:\Users\Admin\AppData\Local\Admin\{158344D4-4711-DB0F-8C92-028C42F35172}\Zadoxuacut.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/1976-9-0x0000017D0DFE0000-0x0000017D0E02F000-memory.dmp
memory/1976-10-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp
memory/1976-15-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp
memory/1976-16-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp
memory/1976-17-0x0000017D0DFE0000-0x0000017D0E02F000-memory.dmp
memory/1976-19-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp
memory/1976-20-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp
memory/1976-22-0x0000017D0F960000-0x0000017D0F9AC000-memory.dmp