Analysis Overview
SHA256
0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e
Threat Level: Known bad
The file 0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 14:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 14:55
Reported
2023-10-16 07:57
Platform
win7-20230831-en
Max time kernel
146s
Max time network
159s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0492-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\itqacoaccd.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Admin\itqacoaccd.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | jerryposter.com | udp |
| RU | 77.105.140.181:443 | jerryposter.com | tcp |
Files
\Windows\Temp\0492-1.dll
| MD5 | bfec3494adddbbf4305e55cc3f9c106c |
| SHA1 | ae431c2c72e89eb65ad28f1ff9f09a6629683d25 |
| SHA256 | 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef |
| SHA512 | 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f |
C:\windows\Temp\0492-1.dll
| MD5 | bfec3494adddbbf4305e55cc3f9c106c |
| SHA1 | ae431c2c72e89eb65ad28f1ff9f09a6629683d25 |
| SHA256 | 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef |
| SHA512 | 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f |
memory/3068-3-0x00000000002A0000-0x00000000002AD000-memory.dmp
memory/3068-4-0x00000000002A0000-0x00000000002AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab6E6.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/3068-22-0x00000000002A0000-0x00000000002AD000-memory.dmp
C:\Users\Admin\AppData\Local\Admin\itqacoaccd.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\itqacoaccd.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\itqacoaccd.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\itqacoaccd.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
\Users\Admin\AppData\Local\Admin\itqacoaccd.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/2560-29-0x0000000000190000-0x00000000001DF000-memory.dmp
memory/2560-30-0x0000000001CD0000-0x0000000001D1C000-memory.dmp
memory/2560-35-0x0000000001CD0000-0x0000000001D1C000-memory.dmp
memory/2560-36-0x0000000001CD0000-0x0000000001D1C000-memory.dmp
memory/2560-37-0x0000000000190000-0x00000000001DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarCEA6.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 698fb5149113edc1910849960f60dd3b |
| SHA1 | c1c3580d4e47d437b446886e9735cd1a70de1c6c |
| SHA256 | fa397b9500175d0193d0bf9ba466d5d350e0300752574c990e52ace13958f69d |
| SHA512 | 902f8ed6cbb2d2217fa79aa217c74e7f55ab6d40217cbabdfa5643c724d1dab6fc7f5c0110f7b0fb5b0abe866585a8246b18c639560543f83d6090e11bbdbe59 |
memory/2560-58-0x0000000001CD0000-0x0000000001D1C000-memory.dmp
memory/2560-57-0x0000000001CD0000-0x0000000001D1C000-memory.dmp
memory/2560-60-0x0000000001CD0000-0x0000000001D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 14:55
Reported
2023-10-16 07:57
Platform
win10v2004-20230915-en
Max time kernel
156s
Max time network
157s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3}\ = 7cd98d73c18b257af5fc6b4971cd8c70b5266bd5e03416c4973be746089f282b1b8de11e484aeb0f4a548253357a74f303db36dfcdbfdcb54487c9a5fcc6190eda54828104ae37d791e941b68b557d18076bf58c17955b234f37cb5ec7a9ec483349d48a206617f18e24e6c6279be9154007bdfe1a4a4874201db1a1ce38cfa1813dcd11c6552375c286395f42bd1ae87422cb4e57c186e5972452a4fd46d215c19f3f000efa156134d591385753205b51f89cab8bd82e41214c295c57d062af8774944ddf04eefbe370bc0df0632996035b438404ec6ea2f0c98e8334d4e5257b9106404642cb02e66ba5082d2548458786ad0f73492cbf04f86a2287cc5967b3943eda8319e0efbcfefcf3bcf0f6e960d3f94e | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1924 wrote to memory of 1052 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 1924 wrote to memory of 1052 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 1052 wrote to memory of 3452 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 1052 wrote to memory of 3452 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 3452 wrote to memory of 4132 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3452 wrote to memory of 4132 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0492-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 12.104.18.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| RU | 77.105.142.135:443 | skrechelres.com | tcp |
| US | 8.8.8.8:53 | 135.142.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
C:\windows\Temp\0492-1.dll
| MD5 | bfec3494adddbbf4305e55cc3f9c106c |
| SHA1 | ae431c2c72e89eb65ad28f1ff9f09a6629683d25 |
| SHA256 | 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef |
| SHA512 | 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f |
C:\Windows\Temp\0492-1.dll
| MD5 | bfec3494adddbbf4305e55cc3f9c106c |
| SHA1 | ae431c2c72e89eb65ad28f1ff9f09a6629683d25 |
| SHA256 | 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef |
| SHA512 | 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f |
memory/1052-4-0x00000000029E0000-0x00000000029ED000-memory.dmp
memory/1052-8-0x00000000029E0000-0x00000000029ED000-memory.dmp
C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/4132-12-0x0000025036CA0000-0x0000025036CEF000-memory.dmp
memory/4132-13-0x0000025036D70000-0x0000025036DBC000-memory.dmp
memory/4132-18-0x0000025036D70000-0x0000025036DBC000-memory.dmp
memory/4132-19-0x0000025036D70000-0x0000025036DBC000-memory.dmp
memory/4132-20-0x0000025036CA0000-0x0000025036CEF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 99417be1a9827b83001a8a20d22cfc79 |
| SHA1 | 80a9badb745061d0e7f9b2479ad684121c49e5c0 |
| SHA256 | eda240e83e62101b456b5e49cf7f7303b33a7bec0eb526735cde3145340556a7 |
| SHA512 | ca0f92770577adcbf417dfc4467d35b88942a600b03b3201c9d1db4c3a8ce15e951d1f41bcb355802a4663008aee5e54b1359ea0175b817682ef829c3535ce4a |
memory/4132-25-0x0000025036D70000-0x0000025036DBC000-memory.dmp
memory/4132-26-0x0000025036D70000-0x0000025036DBC000-memory.dmp
memory/4132-28-0x0000025036D70000-0x0000025036DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll
| MD5 | 0245e02cbb6ffe2716c2aeb7fb8006d0 |
| SHA1 | 59dd3d2477211eb4fcd72b542812a2036fa0e1e8 |
| SHA256 | 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1 |
| SHA512 | 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82 |
memory/2668-31-0x00000139F85E0000-0x00000139F862F000-memory.dmp
memory/2668-32-0x00000139F87B0000-0x00000139F87FC000-memory.dmp