Analysis Overview
SHA256
0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4
Threat Level: Known bad
The file 0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 14:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 14:55
Reported
2023-10-16 07:55
Platform
win7-20230831-en
Max time kernel
134s
Max time network
152s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0050-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | jkbarmossen.com | udp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 8.8.8.8:53 | evinakortu.com | udp |
| BG | 94.232.46.27:443 | evinakortu.com | tcp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
Files
C:\windows\Temp\0050-1.dll
| MD5 | 510e0f061b1c3ff84f4cc810ff1dc6b2 |
| SHA1 | 6c0cb0d21dde5ec87d30c4d15025f50ab293c062 |
| SHA256 | a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c |
| SHA512 | 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea |
\Windows\Temp\0050-1.dll
| MD5 | 510e0f061b1c3ff84f4cc810ff1dc6b2 |
| SHA1 | 6c0cb0d21dde5ec87d30c4d15025f50ab293c062 |
| SHA256 | a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c |
| SHA512 | 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea |
memory/876-4-0x0000000000130000-0x000000000013D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab761C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/876-22-0x0000000000130000-0x000000000013D000-memory.dmp
memory/876-23-0x0000000000130000-0x000000000013D000-memory.dmp
C:\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Roaming\{9AD1DA62-0F94-CEAF-1BD4-BC0CC0C4B11C}\gemomc3\Pomaacpa.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/2676-30-0x0000000000360000-0x00000000003AF000-memory.dmp
memory/2676-31-0x0000000001D30000-0x0000000001D7C000-memory.dmp
memory/2676-36-0x0000000001D30000-0x0000000001D7C000-memory.dmp
memory/2676-37-0x0000000001D30000-0x0000000001D7C000-memory.dmp
memory/2676-38-0x0000000000360000-0x00000000003AF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 14:55
Reported
2023-10-16 07:56
Platform
win10v2004-20230915-en
Max time kernel
131s
Max time network
157s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 664 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 1136 wrote to memory of 664 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 664 wrote to memory of 3160 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 664 wrote to memory of 3160 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 3160 wrote to memory of 2644 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3160 wrote to memory of 2644 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0050-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 12.104.18.212.in-addr.arpa | udp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jkbarmossen.com | udp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 8.8.8.8:53 | 62.204.255.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evinakortu.com | udp |
| BG | 94.232.46.27:443 | evinakortu.com | tcp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
Files
C:\windows\Temp\0050-1.dll
| MD5 | 510e0f061b1c3ff84f4cc810ff1dc6b2 |
| SHA1 | 6c0cb0d21dde5ec87d30c4d15025f50ab293c062 |
| SHA256 | a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c |
| SHA512 | 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea |
C:\Windows\Temp\0050-1.dll
| MD5 | 510e0f061b1c3ff84f4cc810ff1dc6b2 |
| SHA1 | 6c0cb0d21dde5ec87d30c4d15025f50ab293c062 |
| SHA256 | a12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c |
| SHA512 | 09094d9fd88f7d519844f085d1e586e1e974a5f907cc99aa60f23f73e603be168040212eff14fe6cdc53bebc7536d307269a1c77cad22b4e7cabf89213b8f3ea |
memory/664-4-0x0000000001F50000-0x0000000001F5D000-memory.dmp
memory/664-8-0x0000000001F50000-0x0000000001F5D000-memory.dmp
C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
C:\Users\Admin\AppData\Local\Erboevbd\yiijniacac32.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/2644-12-0x000001EB9C060000-0x000001EB9C0AF000-memory.dmp
memory/2644-13-0x000001EB9C220000-0x000001EB9C26C000-memory.dmp
memory/2644-18-0x000001EB9C220000-0x000001EB9C26C000-memory.dmp
memory/2644-19-0x000001EB9C220000-0x000001EB9C26C000-memory.dmp
memory/2644-20-0x000001EB9C060000-0x000001EB9C0AF000-memory.dmp