Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-sac1aaeg4v
Target 09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs
SHA256 09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707

Threat Level: Known bad

The file 09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 14:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 14:54

Reported

2023-10-16 08:46

Platform

win7-20230831-en

Max time kernel

130s

Max time network

137s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000_CLASSES\CLSID\{42703548-2101-70A1-5CF1-5EE12D0C33D9} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000_CLASSES\CLSID\{42703548-2101-70A1-5CF1-5EE12D0C33D9}\ = 51265b1a0eb51c1f86aa009746c70fb2d4b5a3690639094c5b9518102110668236a050a70d293d34eeba2da3bd266246e8f1cb8ee430921ce92a781c095dcd94117afd17cd91d1fa2e09f1feef87d4a7b1528296109758a30f579b369bcfbd33f777d3862e69197c533173bd3dae82d962f614c31bcb0f9410e51513f7cf154653d6e16fa7c46c09a41b7ebf12e57e3ecf8605213fdd80e4146432d465827024c8920635739d076e2843545bc51a7d3c43830865b4de235e5526b26e5e5bd89aba432eea8da31a61b68b18f3f763299603db03a47434ca907b857426c913c5d5e3d5a4931e6e25cdf862a807a3783d500c38da13452226c21dfd6922070c79574bb00c65a78ba70b2ea7095a0fba9b3455dafa4c C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0375-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 hofsaalos.com udp
US 8.8.8.8:53 skrechelres.com udp
US 8.8.8.8:53 jerryposter.com udp
RU 77.105.140.181:443 jerryposter.com tcp

Files

\Windows\Temp\0375-1.dll

MD5 9cb1387574f53e20050989a53b152113
SHA1 faa86f01bdd50e90d5e4affec6280e68be45ac95
SHA256 8ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef
SHA512 21f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320

C:\windows\Temp\0375-1.dll

MD5 9cb1387574f53e20050989a53b152113
SHA1 faa86f01bdd50e90d5e4affec6280e68be45ac95
SHA256 8ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef
SHA512 21f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320

memory/2576-4-0x00000000000B0000-0x00000000000BD000-memory.dmp

memory/2576-3-0x00000000000B0000-0x00000000000BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD136.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2576-22-0x00000000000B0000-0x00000000000BD000-memory.dmp

\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Roaming\{E3DC5144-E49E-273E-14B4-8C1C0C1BAAE7}\yiilacoo.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2988-30-0x0000000001E90000-0x0000000001EDC000-memory.dmp

memory/2988-29-0x00000000003D0000-0x000000000041F000-memory.dmp

memory/2988-35-0x0000000001E90000-0x0000000001EDC000-memory.dmp

memory/2988-36-0x0000000001E90000-0x0000000001EDC000-memory.dmp

memory/2988-37-0x00000000003D0000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75e0edf4fd8095705dbc6814a19b3d14
SHA1 44e3e26147efb878d95ebfd2fbe84502025c3557
SHA256 6bf45fa268c80f4dbeab61978f9985a4fdac45cb89e8eed6d94c53a1dc7c296f
SHA512 70977ba41f577f01183c892f768c343968f52986de0930f379c689b9b3fdab8acbfcfc76f1cdda230feb49059626b728b0c00e1872646697c6b3fb0b11c875e6

C:\Users\Admin\AppData\Local\Temp\Tar7521.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2988-56-0x0000000001E90000-0x0000000001EDC000-memory.dmp

memory/2988-57-0x0000000001E90000-0x0000000001EDC000-memory.dmp

memory/2988-60-0x0000000001E90000-0x0000000001EDC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 14:54

Reported

2023-10-16 08:47

Platform

win10v2004-20230915-en

Max time kernel

140s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3}\ = 7cd98d73c18b257af5fc6b4971cd8c70b5266bd5e03416c4973be746089f282b1b8de11e484aeb0f4a548253357a74f303db36dfcdbfdcb54487c9a5fcc6190eda54828104ae37d791e941b68b557d18076bf58c17955b234f37cb5ec7a9ec483349d48a206617f18e24e6c6279be9154007bdfe1a4a4874201db1a1ce38cfa1813dcd11c6552375c286395f42bd1ae87422cb4e57c186e5972452a4fd46d215c19f3f000efa156134d591385753205b51f89cab8bd82e41214c295c57d062af8774944ddf04eefbe370bc0df0632996035b438404ec6ea2f0c98e8334d4e5257b9106404642cb02e66ba5082d2548458786ad0f73492cbf04f86a2287cc5967b3943eda8319e0efbcfefcf3bcf0f6e960d3f94e C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3} C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 3548 wrote to memory of 1648 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 1648 wrote to memory of 1372 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 1648 wrote to memory of 1372 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 1372 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1372 wrote to memory of 1904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f7e968376ea4a0ec8a8edc1281ad3d884f34b251c225e0cae5fa10cb7b2707_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0375-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 171.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
RU 77.105.142.135:443 skrechelres.com tcp
US 8.8.8.8:53 135.142.105.77.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp

Files

C:\windows\Temp\0375-1.dll

MD5 9cb1387574f53e20050989a53b152113
SHA1 faa86f01bdd50e90d5e4affec6280e68be45ac95
SHA256 8ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef
SHA512 21f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320

C:\Windows\Temp\0375-1.dll

MD5 9cb1387574f53e20050989a53b152113
SHA1 faa86f01bdd50e90d5e4affec6280e68be45ac95
SHA256 8ea4a0e3b78209a6bb72148af0bbbcad3aeb604433ff336e42a224d453e7edef
SHA512 21f34e62a23ab144a89dc91b54bced12f0d2d2ab2430e9eb142f23dca4b140e6e54379b722dcd6a705460a29d9159f1437362b0c35eff3794dedb4ef6027a320

memory/1648-3-0x0000000002670000-0x000000000267D000-memory.dmp

memory/1648-4-0x0000000002670000-0x000000000267D000-memory.dmp

memory/1648-8-0x0000000002670000-0x000000000267D000-memory.dmp

C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Roaming\angibd1\tifuacbk.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/1904-12-0x000001DE3FE70000-0x000001DE3FEBF000-memory.dmp

memory/1904-13-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

memory/1904-18-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

memory/1904-19-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

memory/1904-20-0x000001DE3FE70000-0x000001DE3FEBF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 b36737dda5ea0716868cec199b48357b
SHA1 ff24615b5198cf4423eb934245a9a5498e979c58
SHA256 48090850235dfcbb6f37533be67b77520e8f6ef8b8dea48218da5ecd171ac0ef
SHA512 4ad1f02921350e303bdaf408519bbca99933defc94038c0fe3126452d82e261c7da6c568ded4b82f9164ee3675afa37543decf50fca2d0ac3d7296c0d5585e22

memory/1904-25-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

memory/1904-26-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp

memory/1904-28-0x000001DE3FF40000-0x000001DE3FF8C000-memory.dmp