Analysis Overview
SHA256
69e3c157249070aec7d5e003cd6b3dd05f87b555e4997e4c11cc5ff07462e3db
Threat Level: Known bad
The file 69e3c157249070aec7d5e003cd6b3dd05f87b555e4997e4c11cc5ff07462e3db_JC.vbs was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 15:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 15:48
Reported
2023-10-16 11:05
Platform
win7-20230831-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\CLSID\{F2EA62E7-3952-C21A-DC49-08FFAA9BB9BC} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\CLSID\{F2EA62E7-3952-C21A-DC49-08FFAA9BB9BC}\ = eae2f9ed0629d67269b606160527dfeaf047b86d847ae9dc137946b753cbd2a8c5ba55244d496dcc6ae4fa17d7cbb39f0de440c2cabddfb5c4c769158492f3115c15a1719cea1544c9c5eff96b45f554e97670cd34e5c3e7ed4483a25dec0f9a5a462a13e5c5e7695a3e6d0818bd041ac0c71dce920662196d7c2098bb2548e3a20d75b51432f7df3f515330dc0c53435ecf1a27ba1ee0343cd89485c276ea71b388331ef9d0ae8385325d265057a29ab64854cff9313ddb948542b68a017b2c4117040543c20b682bdc02f869b4132d2548c547e67d274faf1fb700faebe1a73c71d61862345046c418fd6cff1eec6be81665b3957a8aec723348536e914cde00ea69b09c2fc964fe1fed68e8166533d59a9a1c | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69e3c157249070aec7d5e003cd6b3dd05f87b555e4997e4c11cc5ff07462e3db_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0013-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\Azgeacba4.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Admin\Azgeacba4.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | jerryposter.com | udp |
| RU | 77.105.140.181:443 | jerryposter.com | tcp |
Files
C:\windows\Temp\0013-1.dll
| MD5 | 5f8bb53913d475e5f1f82d4fdc70f820 |
| SHA1 | 4e8929375e4b845191efe2206085d34b31759965 |
| SHA256 | 347ae21ab28f50dc3575dfa9625823de77125cda644db11940374cca505878d8 |
| SHA512 | 6c1665f8527ae003d4b17c125dfacc4b87462009aad419002b6681b7a02cf16d6db751cb4d97e684d9c27f102b0688b3765a8d31e60aa94b9b924540a0e27ef5 |
\Windows\Temp\0013-1.dll
| MD5 | 5f8bb53913d475e5f1f82d4fdc70f820 |
| SHA1 | 4e8929375e4b845191efe2206085d34b31759965 |
| SHA256 | 347ae21ab28f50dc3575dfa9625823de77125cda644db11940374cca505878d8 |
| SHA512 | 6c1665f8527ae003d4b17c125dfacc4b87462009aad419002b6681b7a02cf16d6db751cb4d97e684d9c27f102b0688b3765a8d31e60aa94b9b924540a0e27ef5 |
memory/2156-4-0x0000000000130000-0x000000000013D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab95FB.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2156-21-0x0000000000130000-0x000000000013D000-memory.dmp
memory/2156-23-0x0000000000130000-0x000000000013D000-memory.dmp
C:\Users\Admin\AppData\Local\Admin\Azgeacba4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\Azgeacba4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\Azgeacba4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\Azgeacba4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\Azgeacba4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/2700-30-0x00000000002B0000-0x00000000002FF000-memory.dmp
memory/2700-31-0x0000000001DF0000-0x0000000001E3C000-memory.dmp
memory/2700-36-0x0000000001DF0000-0x0000000001E3C000-memory.dmp
memory/2700-37-0x0000000001DF0000-0x0000000001E3C000-memory.dmp
memory/2700-38-0x00000000002B0000-0x00000000002FF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2f385da1e7e01615362e192f63468e8 |
| SHA1 | 70d1308406418eb7766e061b8e062305e6193bd4 |
| SHA256 | 808594f902c15136f4e857b4a12aebc3696606228a83c9d6b4246fb549c187a7 |
| SHA512 | 9b2775eb507ee7dc265716a508f16204e20fd964a8ea6168e2645a1184cbaa68f554bcaf8cee63998143fe48ad6374c8911a96e2d086e7606b9a3944662a2560 |
C:\Users\Admin\AppData\Local\Temp\TarDAD6.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2700-57-0x0000000001DF0000-0x0000000001E3C000-memory.dmp
memory/2700-58-0x0000000001DF0000-0x0000000001E3C000-memory.dmp
memory/2700-60-0x0000000001DF0000-0x0000000001E3C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 15:48
Reported
2023-10-16 11:05
Platform
win10v2004-20230915-en
Max time kernel
152s
Max time network
170s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 2484 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 1224 wrote to memory of 2484 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 2484 wrote to memory of 1716 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 2484 wrote to memory of 1716 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 1716 wrote to memory of 4604 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1716 wrote to memory of 4604 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69e3c157249070aec7d5e003cd6b3dd05f87b555e4997e4c11cc5ff07462e3db_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0013-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\acidxiacmn.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Admin\acidxiacmn.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 12.104.18.212.in-addr.arpa | udp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jkbarmossen.com | udp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 8.8.8.8:53 | 62.204.255.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evinakortu.com | udp |
| BG | 94.232.46.27:443 | evinakortu.com | tcp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
Files
C:\windows\Temp\0013-1.dll
| MD5 | 5f8bb53913d475e5f1f82d4fdc70f820 |
| SHA1 | 4e8929375e4b845191efe2206085d34b31759965 |
| SHA256 | 347ae21ab28f50dc3575dfa9625823de77125cda644db11940374cca505878d8 |
| SHA512 | 6c1665f8527ae003d4b17c125dfacc4b87462009aad419002b6681b7a02cf16d6db751cb4d97e684d9c27f102b0688b3765a8d31e60aa94b9b924540a0e27ef5 |
C:\Windows\Temp\0013-1.dll
| MD5 | 5f8bb53913d475e5f1f82d4fdc70f820 |
| SHA1 | 4e8929375e4b845191efe2206085d34b31759965 |
| SHA256 | 347ae21ab28f50dc3575dfa9625823de77125cda644db11940374cca505878d8 |
| SHA512 | 6c1665f8527ae003d4b17c125dfacc4b87462009aad419002b6681b7a02cf16d6db751cb4d97e684d9c27f102b0688b3765a8d31e60aa94b9b924540a0e27ef5 |
memory/2484-4-0x0000000002D50000-0x0000000002D5D000-memory.dmp
memory/2484-8-0x0000000002D50000-0x0000000002D5D000-memory.dmp
memory/2484-9-0x0000000002D50000-0x0000000002D5D000-memory.dmp
C:\Users\Admin\AppData\Local\Admin\acidxiacmn.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
C:\Users\Admin\AppData\Local\Admin\acidxiacmn.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/4604-13-0x000002384FF90000-0x000002384FFDF000-memory.dmp
memory/4604-14-0x0000023850060000-0x00000238500AC000-memory.dmp
memory/4604-19-0x0000023850060000-0x00000238500AC000-memory.dmp
memory/4604-20-0x0000023850060000-0x00000238500AC000-memory.dmp
memory/4604-21-0x000002384FF90000-0x000002384FFDF000-memory.dmp