Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 15:25
Static task
static1
Behavioral task
behavioral1
Sample
3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296_JC.vbs
Resource
win7-20230831-en
General
-
Target
3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296_JC.vbs
-
Size
1012KB
-
MD5
730202d675eaf81bc96b9c9b1d6168d9
-
SHA1
cd515aee1eab6b6ba97202f8426c208602194463
-
SHA256
3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296
-
SHA512
df807323bdd3c129cf951756c3110c5bd28ef7c833b51b6fb5cc56c9bff9f3991b5558a999b3e2d601547d68a8670dd0d51c65289a5ff703631fe246dd06b834
-
SSDEEP
6144:S9au8yx1oVR1cLE79fjlVy4YN+12CBeqv4iJQTTQOUO9M8byg/TcpMjHM4c1EECR:SR+Vatk+TQoM6sBO1Za+T
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 47 4932 rundll32.exe 49 4932 rundll32.exe 51 4932 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 4436 regsvr32.exe 4932 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{176999F7-E272-84DF-DB27-26AC523859D9} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{176999F7-E272-84DF-DB27-26AC523859D9}\ = dd68b2071b2cd7716936c676f50f2b408d921192023b9604b70bcfcacabe99545f6f6ede68fa934ba85b8253b5bad4034bc7b01a2eafd4b9ba52a42a025f4cd57e2289fdde0b841fbd5324472c29ab337b0d24a32b630204bdec2fcc0c0552bd2adeee71b62dfb6f5b3d6d08183d443a30df194c5327914149ce1b1c7982f85bd617c21f7f609ec238515330dc8c13e36eb70eade5e8f5bf72b70af08b0db00478aa82f7d46dcf72224edbe570274ac66471d70166755fc89c3934ab7d2bc01e78609e42e1f173bc01e3f461ae16e0b5f1f2fe313ddb14c5e2465255a10ff7bca8b7f56abb13622d48da1c7d7653c307a6f774aa0003d19a39cf12c655a335395245255e453a505778dc8b9be012e7f274d5facc rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 4436 regsvr32.exe 4436 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 3192 wrote to memory of 4436 3192 WScript.exe regsvr32.exe PID 3192 wrote to memory of 4436 3192 WScript.exe regsvr32.exe PID 4436 wrote to memory of 3240 4436 regsvr32.exe cmd.exe PID 4436 wrote to memory of 3240 4436 regsvr32.exe cmd.exe PID 3240 wrote to memory of 4932 3240 cmd.exe rundll32.exe PID 3240 wrote to memory of 4932 3240 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a487d3f3cea6d0b055a46c6a2371de2631089400459617c554cbe263e045296_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0386-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\omimbd\Woigmc\Jodevuacnm.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\omimbd\Woigmc\Jodevuacnm.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
583KB
MD50245e02cbb6ffe2716c2aeb7fb8006d0
SHA159dd3d2477211eb4fcd72b542812a2036fa0e1e8
SHA2565d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1
SHA5120c2e863512f2d83429e681cbcdb31bf9c6f0a69611f6d8923198d51d1e49750f4bf441c8ce256fb44a9cb39a6855e70fcbc644739926570214400bd06a683d82
-
Filesize
328KB
MD537ba0ae11ebb981a1d5289e6ccb628c2
SHA12071e6f6d7924679f6d8d8ba21e5bcec120889ee
SHA2562406ff05497716404ffcb51135bf85a60ba1b7bbb9fdddfdb6c326daafdbba0e
SHA5123917264637ea88cd5115a1269715095e41c27dc29a75054148a8790267b333f48b77aa8b9990659910bb3368abb85e7e0478bbcb7a17654d0bd787dd321dedd9
-
Filesize
328KB
MD537ba0ae11ebb981a1d5289e6ccb628c2
SHA12071e6f6d7924679f6d8d8ba21e5bcec120889ee
SHA2562406ff05497716404ffcb51135bf85a60ba1b7bbb9fdddfdb6c326daafdbba0e
SHA5123917264637ea88cd5115a1269715095e41c27dc29a75054148a8790267b333f48b77aa8b9990659910bb3368abb85e7e0478bbcb7a17654d0bd787dd321dedd9