Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 15:25
Static task
static1
Behavioral task
behavioral1
Sample
3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296_JC.vbs
Resource
win7-20230831-en
General
-
Target
3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296_JC.vbs
-
Size
1012KB
-
MD5
730202d675eaf81bc96b9c9b1d6168d9
-
SHA1
cd515aee1eab6b6ba97202f8426c208602194463
-
SHA256
3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296
-
SHA512
df807323bdd3c129cf951756c3110c5bd28ef7c833b51b6fb5cc56c9bff9f3991b5558a999b3e2d601547d68a8670dd0d51c65289a5ff703631fe246dd06b834
-
SSDEEP
6144:S9au8yx1oVR1cLE79fjlVy4YN+12CBeqv4iJQTTQOUO9M8byg/TcpMjHM4c1EECR:SR+Vatk+TQoM6sBO1Za+T
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 8 2668 rundll32.exe 12 2668 rundll32.exe 14 2668 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 1452 regsvr32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1452 regsvr32.exe 1452 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 2580 wrote to memory of 1452 2580 WScript.exe regsvr32.exe PID 2580 wrote to memory of 1452 2580 WScript.exe regsvr32.exe PID 2580 wrote to memory of 1452 2580 WScript.exe regsvr32.exe PID 2580 wrote to memory of 1452 2580 WScript.exe regsvr32.exe PID 2580 wrote to memory of 1452 2580 WScript.exe regsvr32.exe PID 1452 wrote to memory of 2524 1452 regsvr32.exe cmd.exe PID 1452 wrote to memory of 2524 1452 regsvr32.exe cmd.exe PID 1452 wrote to memory of 2524 1452 regsvr32.exe cmd.exe PID 2524 wrote to memory of 2668 2524 cmd.exe rundll32.exe PID 2524 wrote to memory of 2668 2524 cmd.exe rundll32.exe PID 2524 wrote to memory of 2668 2524 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296_JC.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0386-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\igkuewacwf.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Admin\igkuewacwf.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
328KB
MD537ba0ae11ebb981a1d5289e6ccb628c2
SHA12071e6f6d7924679f6d8d8ba21e5bcec120889ee
SHA2562406ff05497716404ffcb51135bf85a60ba1b7bbb9fdddfdb6c326daafdbba0e
SHA5123917264637ea88cd5115a1269715095e41c27dc29a75054148a8790267b333f48b77aa8b9990659910bb3368abb85e7e0478bbcb7a17654d0bd787dd321dedd9
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD537ba0ae11ebb981a1d5289e6ccb628c2
SHA12071e6f6d7924679f6d8d8ba21e5bcec120889ee
SHA2562406ff05497716404ffcb51135bf85a60ba1b7bbb9fdddfdb6c326daafdbba0e
SHA5123917264637ea88cd5115a1269715095e41c27dc29a75054148a8790267b333f48b77aa8b9990659910bb3368abb85e7e0478bbcb7a17654d0bd787dd321dedd9