Analysis
-
max time kernel
134s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs
Resource
win7-20230831-en
General
-
Target
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs
-
Size
1012KB
-
MD5
d1a959dad577d838505e6edca6255c0b
-
SHA1
9159cc10479a91d38bc9554fb374077842cb2a84
-
SHA256
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4
-
SHA512
4f825cfa5381030f9a506cc31d3c83e12646ff77b266b83cf3e98da1baee12981ceb98fc04a537d770f795e4a5d31cbafeda7cce8220307c153f10ee5e4e86a5
-
SSDEEP
6144:lOEkG1k1BPyLBSoOVsjIJhsAQfDsfTY87sxuC2n+h7prMqQcqMKhtTL9Xv4dIJ+U:KQzYhanuOuCUmy9JPw8IUE7Mq0n7MK
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 8 2676 rundll32.exe 12 2676 rundll32.exe 14 2676 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 876 regsvr32.exe 2676 rundll32.exe 2676 rundll32.exe 2676 rundll32.exe 2676 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 876 regsvr32.exe 876 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 2324 wrote to memory of 876 2324 WScript.exe regsvr32.exe PID 2324 wrote to memory of 876 2324 WScript.exe regsvr32.exe PID 2324 wrote to memory of 876 2324 WScript.exe regsvr32.exe PID 2324 wrote to memory of 876 2324 WScript.exe regsvr32.exe PID 2324 wrote to memory of 876 2324 WScript.exe regsvr32.exe PID 876 wrote to memory of 2800 876 regsvr32.exe cmd.exe PID 876 wrote to memory of 2800 876 regsvr32.exe cmd.exe PID 876 wrote to memory of 2800 876 regsvr32.exe cmd.exe PID 2800 wrote to memory of 2676 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 2676 2800 cmd.exe rundll32.exe PID 2800 wrote to memory of 2676 2800 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0050-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD5510e0f061b1c3ff84f4cc810ff1dc6b2
SHA16c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA51209094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD5510e0f061b1c3ff84f4cc810ff1dc6b2
SHA16c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA51209094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea