Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 14:54

General

  • Target

    09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs

  • Size

    1012KB

  • MD5

    9eaa1622ab48ad3e59135969f0da985e

  • SHA1

    1532cd774d5bc0150a85e211eb95729a972c90f8

  • SHA256

    09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707

  • SHA512

    2a85ef5554f3501412ede07a1bd92a4b6c33febbd6de67902777f12409c8d3c0413f8a7d030714e90e9aee09bfc9b030ac38ed38d1d604a0be84bf79ac86888c

  • SSDEEP

    6144:CrbQo8oMwqz+YRrGfxsvzoi257gMYgzRlq5+mCxSp15NYxY3LCCExcnH8CoikfWT:t/P7W1kNgSz9zVGq1cqGW8cR

Malware Config

Extracted

Family

icedid

Campaign

361893872

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C://windows/Temp/0375-1.dll
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll,#1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll,#1
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Modifies registry class
          PID:1904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

    Filesize

    330B

    MD5

    b36737dda5ea0716868cec199b48357b

    SHA1

    ff24615b5198cf4423eb934245a9a5498e979c58

    SHA256

    48090850235dfcbb6f37533be67b77520e8f6ef8b8dea48218da5ecd171ac0ef

    SHA512

    4ad1f02921350e303bdaf408519bbca99933defc94038c0fe3126452d82e261c7da6c568ded4b82f9164ee3675afa37543decf50fca2d0ac3d7296c0d5585e22

  • C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll

    Filesize

    583KB

    MD5

    0245e02cbb6ffe2716c2aeb7fb8006d0

    SHA1

    59dd3d2477211eb4fcd72b542812a2036fa0e1e8

    SHA256

    5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

    SHA512

    0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

  • C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll

    Filesize

    583KB

    MD5

    0245e02cbb6ffe2716c2aeb7fb8006d0

    SHA1

    59dd3d2477211eb4fcd72b542812a2036fa0e1e8

    SHA256

    5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1

    SHA512

    0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

  • C:\Windows\Temp\0375-1.dll

    Filesize

    328KB

    MD5

    9cb1387574f53e20050989a53b152113

    SHA1

    faa86f01bdd50e90d5e4affec6280e68be45ac95

    SHA256

    8ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef

    SHA512

    21f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320

  • C:\windows\Temp\0375-1.dll

    Filesize

    328KB

    MD5

    9cb1387574f53e20050989a53b152113

    SHA1

    faa86f01bdd50e90d5e4affec6280e68be45ac95

    SHA256

    8ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef

    SHA512

    21f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320

  • memory/1648-8-0x0000000002670000-0x000000000267D000-memory.dmp

    Filesize

    52KB

  • memory/1648-4-0x0000000002670000-0x000000000267D000-memory.dmp

    Filesize

    52KB

  • memory/1648-3-0x0000000002670000-0x000000000267D000-memory.dmp

    Filesize

    52KB

  • memory/1904-12-0x000001DE3FE70000-0x000001DE3FEBF000-memory.dmp

    Filesize

    316KB

  • memory/1904-13-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

    Filesize

    304KB

  • memory/1904-18-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

    Filesize

    304KB

  • memory/1904-19-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

    Filesize

    304KB

  • memory/1904-20-0x000001DE3FE70000-0x000001DE3FEBF000-memory.dmp

    Filesize

    316KB

  • memory/1904-25-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

    Filesize

    304KB

  • memory/1904-26-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

    Filesize

    304KB

  • memory/1904-28-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

    Filesize

    304KB