Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-saj4laha36
Target 0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs
SHA256 0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4

Threat Level: Known bad

The file 0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 14:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 14:55

Reported

2023-10-16 07:55

Platform

win7-20230831-en

Max time kernel

134s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0050-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 jkbarmossen.com udp
US 173.255.204.62:443 jkbarmossen.com tcp
US 8.8.8.8:53 evinakortu.com udp
BG 94.232.46.27:443 evinakortu.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp

Files

C:\windows\Temp\0050-1.dll

MD5 510e0f061b1c3ff84f4cc810ff1dc6b2
SHA1 6c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256 a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA512 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea

\Windows\Temp\0050-1.dll

MD5 510e0f061b1c3ff84f4cc810ff1dc6b2
SHA1 6c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256 a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA512 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea

memory/876-4-0x0000000000130000-0x000000000013D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab761C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/876-22-0x0000000000130000-0x000000000013D000-memory.dmp

memory/876-23-0x0000000000130000-0x000000000013D000-memory.dmp

C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2676-30-0x0000000000360000-0x00000000003AF000-memory.dmp

memory/2676-31-0x0000000001D30000-0x0000000001D7C000-memory.dmp

memory/2676-36-0x0000000001D30000-0x0000000001D7C000-memory.dmp

memory/2676-37-0x0000000001D30000-0x0000000001D7C000-memory.dmp

memory/2676-38-0x0000000000360000-0x00000000003AF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 14:55

Reported

2023-10-16 07:56

Platform

win10v2004-20230915-en

Max time kernel

131s

Max time network

157s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 664 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 1136 wrote to memory of 664 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 664 wrote to memory of 3160 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 664 wrote to memory of 3160 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 3160 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3160 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0050-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 jkbarmossen.com udp
US 173.255.204.62:443 jkbarmossen.com tcp
US 8.8.8.8:53 62.204.255.173.in-addr.arpa udp
US 8.8.8.8:53 evinakortu.com udp
BG 94.232.46.27:443 evinakortu.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp

Files

C:\windows\Temp\0050-1.dll

MD5 510e0f061b1c3ff84f4cc810ff1dc6b2
SHA1 6c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256 a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA512 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea

C:\Windows\Temp\0050-1.dll

MD5 510e0f061b1c3ff84f4cc810ff1dc6b2
SHA1 6c0cb0d21dde5ec87d30c4d15025f50ab293c062
SHA256 a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c
SHA512 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea

memory/664-4-0x0000000001F50000-0x0000000001F5D000-memory.dmp

memory/664-8-0x0000000001F50000-0x0000000001F5D000-memory.dmp

C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2644-12-0x000001EB9C060000-0x000001EB9C0AF000-memory.dmp

memory/2644-13-0x000001EB9C220000-0x000001EB9C26C000-memory.dmp

memory/2644-18-0x000001EB9C220000-0x000001EB9C26C000-memory.dmp

memory/2644-19-0x000001EB9C220000-0x000001EB9C26C000-memory.dmp

memory/2644-20-0x000001EB9C060000-0x000001EB9C0AF000-memory.dmp