Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs
Resource
win7-20230831-en
General
-
Target
0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs
-
Size
1012KB
-
MD5
b067d01ed850c7ab59e9c5ff8d62f30e
-
SHA1
e529df02ce5c37176a5befe9f52d5f2b880510e9
-
SHA256
0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e
-
SHA512
dd9233fb0bc992963f467f8dee16dbc639aab4b164178552a138633a21e09a71f3cc68c3ea6e2b1ae0234784a19d6041b6bb03495956677cf18d630ce8c8f338
-
SSDEEP
6144:Fs9phl54PN1TsOeXfR+D06ucjJ6MJOu/P5XUbMhj2xppOVi7tYZmiOkag187u04F:saxpZhkbMxMKUlHRmouOGUkTg21
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 44 4132 rundll32.exe 46 4132 rundll32.exe 48 4132 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exerundll32.exerundll32.exepid process 1052 regsvr32.exe 4132 rundll32.exe 2668 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3}\ = 7cd98d73c18b257af5fc6b4971cd8c70b5266bd5e03416c4973be746089f282b1b8de11e484aeb0f4a548253357a74f303db36dfcdbfdcb54487c9a5fcc6190eda54828104ae37d791e941b68b557d18076bf58c17955b234f37cb5ec7a9ec483349d48a206617f18e24e6c6279be9154007bdfe1a4a4874201db1a1ce38cfa1813dcd11c6552375c286395f42bd1ae87422cb4e57c186e5972452a4fd46d215c19f3f000efa156134d591385753205b51f89cab8bd82e41214c295c57d062af8774944ddf04eefbe370bc0df0632996035b438404ec6ea2f0c98e8334d4e5257b9106404642cb02e66ba5082d2548458786ad0f73492cbf04f86a2287cc5967b3943eda8319e0efbcfefcf3bcf0f6e960d3f94e rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1052 regsvr32.exe 1052 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 1924 wrote to memory of 1052 1924 WScript.exe regsvr32.exe PID 1924 wrote to memory of 1052 1924 WScript.exe regsvr32.exe PID 1052 wrote to memory of 3452 1052 regsvr32.exe cmd.exe PID 1052 wrote to memory of 3452 1052 regsvr32.exe cmd.exe PID 3452 wrote to memory of 4132 3452 cmd.exe rundll32.exe PID 3452 wrote to memory of 4132 3452 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0492-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
PID:4132
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll",#11⤵
- Loads dropped DLL
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD599417be1a9827b83001a8a20d22cfc79
SHA180a9badb745061d0e7f9b2479ad684121c49e5c0
SHA256eda240e83e62101b456b5e49cf7f7303b33a7bec0eb526735cde3145340556a7
SHA512ca0f92770577adcbf417dfc4467d35b88942a600b03b3201c9d1db4c3a8ce15e951d1f41bcb355802a4663008aee5e54b1359ea0175b817682ef829c3535ce4a
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD5bfec3494adddbbf4305e55cc3f9c106c
SHA1ae431c2c72e89eb65ad28f1ff9f09a6629683d25
SHA2566081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef
SHA5127fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f
-
Filesize
328KB
MD5bfec3494adddbbf4305e55cc3f9c106c
SHA1ae431c2c72e89eb65ad28f1ff9f09a6629683d25
SHA2566081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef
SHA5127fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f