Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 14:54
Static task
static1
Behavioral task
behavioral1
Sample
09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs
Resource
win7-20230831-en
General
-
Target
09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs
-
Size
1012KB
-
MD5
9eaa1622ab48ad3e59135969f0da985e
-
SHA1
1532cd774d5bc0150a85e211eb95729a972c90f8
-
SHA256
09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707
-
SHA512
2a85ef5554f3501412ede07a1bd92a4b6c33febbd6de67902777f12409c8d3c0413f8a7d030714e90e9aee09bfc9b030ac38ed38d1d604a0be84bf79ac86888c
-
SSDEEP
6144:CrbQo8oMwqz+YRrGfxsvzoi257gMYgzRlq5+mCxSp15NYxY3LCCExcnH8CoikfWT:t/P7W1kNgSz9zVGq1cqGW8cR
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 47 1904 rundll32.exe 49 1904 rundll32.exe 51 1904 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 1648 regsvr32.exe 1904 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3}\ = 7cd98d73c18b257af5fc6b4971cd8c70b5266bd5e03416c4973be746089f282b1b8de11e484aeb0f4a548253357a74f303db36dfcdbfdcb54487c9a5fcc6190eda54828104ae37d791e941b68b557d18076bf58c17955b234f37cb5ec7a9ec483349d48a206617f18e24e6c6279be9154007bdfe1a4a4874201db1a1ce38cfa1813dcd11c6552375c286395f42bd1ae87422cb4e57c186e5972452a4fd46d215c19f3f000efa156134d591385753205b51f89cab8bd82e41214c295c57d062af8774944ddf04eefbe370bc0df0632996035b438404ec6ea2f0c98e8334d4e5257b9106404642cb02e66ba5082d2548458786ad0f73492cbf04f86a2287cc5967b3943eda8319e0efbcfefcf3bcf0f6e960d3f94e rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1648 regsvr32.exe 1648 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 3548 wrote to memory of 1648 3548 WScript.exe regsvr32.exe PID 3548 wrote to memory of 1648 3548 WScript.exe regsvr32.exe PID 1648 wrote to memory of 1372 1648 regsvr32.exe cmd.exe PID 1648 wrote to memory of 1372 1648 regsvr32.exe cmd.exe PID 1372 wrote to memory of 1904 1372 cmd.exe rundll32.exe PID 1372 wrote to memory of 1904 1372 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0375-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
PID:1904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD5b36737dda5ea0716868cec199b48357b
SHA1ff24615b5198cf4423eb934245a9a5498e979c58
SHA25648090850235dfcbb6f37533be67b77520e8f6ef8b8dea48218da5ecd171ac0ef
SHA5124ad1f02921350e303bdaf408519bbca99933defc94038c0fe3126452d82e261c7da6c568ded4b82f9164ee3675afa37543decf50fca2d0ac3d7296c0d5585e22
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD59cb1387574f53e20050989a53b152113
SHA1faa86f01bdd50e90d5e4affec6280e68be45ac95
SHA2568ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef
SHA51221f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320
-
Filesize
328KB
MD59cb1387574f53e20050989a53b152113
SHA1faa86f01bdd50e90d5e4affec6280e68be45ac95
SHA2568ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef
SHA51221f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320