Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-saqalsha52
Target 0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs
SHA256 0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e

Threat Level: Known bad

The file 0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 14:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 14:55

Reported

2023-10-16 07:57

Platform

win7-20230831-en

Max time kernel

146s

Max time network

159s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0492-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\itqacoaccd.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Admin\itqacoaccd.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
US 8.8.8.8:53 jerryposter.com udp
RU 77.105.140.181:443 jerryposter.com tcp

Files

\Windows\Temp\0492-1.dll

MD5 bfec3494adddbbf4305e55cc3f9c106c
SHA1 ae431c2c72e89eb65ad28f1ff9f09a6629683d25
SHA256 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef
SHA512 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f

C:\windows\Temp\0492-1.dll

MD5 bfec3494adddbbf4305e55cc3f9c106c
SHA1 ae431c2c72e89eb65ad28f1ff9f09a6629683d25
SHA256 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef
SHA512 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f

memory/3068-3-0x00000000002A0000-0x00000000002AD000-memory.dmp

memory/3068-4-0x00000000002A0000-0x00000000002AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6E6.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/3068-22-0x00000000002A0000-0x00000000002AD000-memory.dmp

C:\Users\Admin\AppData\Local\Admin\itqacoaccd.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\itqacoaccd.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\itqacoaccd.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\itqacoaccd.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

\Users\Admin\AppData\Local\Admin\itqacoaccd.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2560-29-0x0000000000190000-0x00000000001DF000-memory.dmp

memory/2560-30-0x0000000001CD0000-0x0000000001D1C000-memory.dmp

memory/2560-35-0x0000000001CD0000-0x0000000001D1C000-memory.dmp

memory/2560-36-0x0000000001CD0000-0x0000000001D1C000-memory.dmp

memory/2560-37-0x0000000000190000-0x00000000001DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarCEA6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 698fb5149113edc1910849960f60dd3b
SHA1 c1c3580d4e47d437b446886e9735cd1a70de1c6c
SHA256 fa397b9500175d0193d0bf9ba466d5d350e0300752574c990e52ace13958f69d
SHA512 902f8ed6cbb2d2217fa79aa217c74e7f55ab6d40217cbabdfa5643c724d1dab6fc7f5c0110f7b0fb5b0abe866585a8246b18c639560543f83d6090e11bbdbe59

memory/2560-58-0x0000000001CD0000-0x0000000001D1C000-memory.dmp

memory/2560-57-0x0000000001CD0000-0x0000000001D1C000-memory.dmp

memory/2560-60-0x0000000001CD0000-0x0000000001D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 14:55

Reported

2023-10-16 07:57

Platform

win10v2004-20230915-en

Max time kernel

156s

Max time network

157s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3}\ = 7cd98d73c18b257af5fc6b4971cd8c70b5266bd5e03416c4973be746089f282b1b8de11e484aeb0f4a548253357a74f303db36dfcdbfdcb54487c9a5fcc6190eda54828104ae37d791e941b68b557d18076bf58c17955b234f37cb5ec7a9ec483349d48a206617f18e24e6c6279be9154007bdfe1a4a4874201db1a1ce38cfa1813dcd11c6552375c286395f42bd1ae87422cb4e57c186e5972452a4fd46d215c19f3f000efa156134d591385753205b51f89cab8bd82e41214c295c57d062af8774944ddf04eefbe370bc0df0632996035b438404ec6ea2f0c98e8334d4e5257b9106404642cb02e66ba5082d2548458786ad0f73492cbf04f86a2287cc5967b3943eda8319e0efbcfefcf3bcf0f6e960d3f94e C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1052 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 1924 wrote to memory of 1052 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 1052 wrote to memory of 3452 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 1052 wrote to memory of 3452 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 3452 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3452 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0aac9c2f0650d572c11b03ac3ad1a3abc981fc9eef3682ebdc17d0a2bb9e2c7e_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0492-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 hofsaalos.com udp
RU 92.118.112.113:443 hofsaalos.com tcp
US 8.8.8.8:53 skrechelres.com udp
RU 77.105.142.135:443 skrechelres.com tcp
US 8.8.8.8:53 135.142.105.77.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

C:\windows\Temp\0492-1.dll

MD5 bfec3494adddbbf4305e55cc3f9c106c
SHA1 ae431c2c72e89eb65ad28f1ff9f09a6629683d25
SHA256 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef
SHA512 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f

C:\Windows\Temp\0492-1.dll

MD5 bfec3494adddbbf4305e55cc3f9c106c
SHA1 ae431c2c72e89eb65ad28f1ff9f09a6629683d25
SHA256 6081c50f00781636c59d48afe9e9c3d4e3040223e22ad2440b6aa37b649730ef
SHA512 7fa4e0f676cd9f12079c947bf831a9dcdbd46528f2c96eec5d404a440e16dbf46f67fa9e4c997e41c89907d7969f1f93abfdaad090ed6e6ecb54a26fc132e52f

memory/1052-4-0x00000000029E0000-0x00000000029ED000-memory.dmp

memory/1052-8-0x00000000029E0000-0x00000000029ED000-memory.dmp

C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/4132-12-0x0000025036CA0000-0x0000025036CEF000-memory.dmp

memory/4132-13-0x0000025036D70000-0x0000025036DBC000-memory.dmp

memory/4132-18-0x0000025036D70000-0x0000025036DBC000-memory.dmp

memory/4132-19-0x0000025036D70000-0x0000025036DBC000-memory.dmp

memory/4132-20-0x0000025036CA0000-0x0000025036CEF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 99417be1a9827b83001a8a20d22cfc79
SHA1 80a9badb745061d0e7f9b2479ad684121c49e5c0
SHA256 eda240e83e62101b456b5e49cf7f7303b33a7bec0eb526735cde3145340556a7
SHA512 ca0f92770577adcbf417dfc4467d35b88942a600b03b3201c9d1db4c3a8ce15e951d1f41bcb355802a4663008aee5e54b1359ea0175b817682ef829c3535ce4a

memory/4132-25-0x0000025036D70000-0x0000025036DBC000-memory.dmp

memory/4132-26-0x0000025036D70000-0x0000025036DBC000-memory.dmp

memory/4132-28-0x0000025036D70000-0x0000025036DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Admin\Ucahoxaceu4.dll

MD5 0245e02cbb6ffe2716c2aeb7fb8006d0
SHA1 59dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA256 5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA512 0c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82

memory/2668-31-0x00000139F85E0000-0x00000139F862F000-memory.dmp

memory/2668-32-0x00000139F87B0000-0x00000139F87FC000-memory.dmp