Analysis
-
max time kernel
131s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs
Resource
win7-20230831-en
General
-
Target
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs
-
Size
1012KB
-
MD5
d1a959dad577d838505e6edca6255c0b
-
SHA1
9159cc10479a91d38bc9554fb374077842cb2a84
-
SHA256
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4
-
SHA512
4f825cfa5381030f9a506cc31d3c83e12646ff77b266b83cf3e98da1baee12981ceb98fc04a537d770f795e4a5d31cbafeda7cce8220307c153f10ee5e4e86a5
-
SSDEEP
6144:lOEkG1k1BPyLBSoOVsjIJhsAQfDsfTY87sxuC2n+h7prMqQcqMKhtTL9Xv4dIJ+U:KQzYhanuOuCUmy9JPw8IUE7Mq0n7MK
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 46 2644 rundll32.exe 51 2644 rundll32.exe 53 2644 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 664 regsvr32.exe 2644 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 664 regsvr32.exe 664 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 1136 wrote to memory of 664 1136 WScript.exe regsvr32.exe PID 1136 wrote to memory of 664 1136 WScript.exe regsvr32.exe PID 664 wrote to memory of 3160 664 regsvr32.exe cmd.exe PID 664 wrote to memory of 3160 664 regsvr32.exe cmd.exe PID 3160 wrote to memory of 2644 3160 cmd.exe rundll32.exe PID 3160 wrote to memory of 2644 3160 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0050-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD5510e0f061b1c3ff84f4cc810ff1dc6b2
SHA16c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA51209094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea
-
Filesize
328KB
MD5510e0f061b1c3ff84f4cc810ff1dc6b2
SHA16c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA51209094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea