Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 16:02
Static task
static1
Behavioral task
behavioral1
Sample
8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7_JC.vbs
Resource
win7-20230831-en
General
-
Target
8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7_JC.vbs
-
Size
1012KB
-
MD5
064e59b3e9028c0f3973f41742dedf41
-
SHA1
bc2ee10a88735cf4f3f664093ef2a1bc922664ce
-
SHA256
8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7
-
SHA512
f75152a08fe57b89dbd432eac85a6e157df7f09f63b3b2f31e4b24ea0cc809c98f5401295f88b733a7464f843c12eedb50ff1cfb4958ac3aecb5b097687cba3a
-
SSDEEP
6144:US/Pe5EE3Lt02BZDB9bmFn1kZGMdGKQ9jMHqCg/gthDDEssR+6NQ7NQKqxzTE6sP:n3mbsQG4HqC6k9jN2x6rxNCwX
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 11 3040 rundll32.exe 12 3040 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 2644 regsvr32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\CLSID\{F699FD4F-582E-0504-D361-4CA8EBBF4E36} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\CLSID\{F699FD4F-582E-0504-D361-4CA8EBBF4E36}\ = db69b5875bcc07e92d5055bee989ee633dfafd005b4e43af490ccd75727afb45547378dbebb87258308f24207f8751ce24cb4e430b1cacbdb8dd6c16841233312c0d25337f3a7d88f73c7ab2855ae1cea2587fc13a98d6eaf272e6514b6741b536c86bb2d4fc52d29c5dfd40e47bd97d942d8019287df4d2f3bb42eb53f19286732649532585cbd9bc9730c0f4f8f9feeff6ed3dbd1ce334bc98b4153a2abc8a37d6e4aa337d57c664ad0dfef46129565c05c98624960fd0187fd77be56fa68d301cf85fe6f1733cc183a40972a08966db8f99615547a28cc9ec9fb410465c96c5e61c772cc9096337c2187ff79222d6cd9b2a4bd11855dc9a3fca924f20f31ae27da11ce2eae8eb3ebf1d6074dc88bc098c8f87 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2644 regsvr32.exe 2644 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 2228 wrote to memory of 2644 2228 WScript.exe regsvr32.exe PID 2228 wrote to memory of 2644 2228 WScript.exe regsvr32.exe PID 2228 wrote to memory of 2644 2228 WScript.exe regsvr32.exe PID 2228 wrote to memory of 2644 2228 WScript.exe regsvr32.exe PID 2228 wrote to memory of 2644 2228 WScript.exe regsvr32.exe PID 2644 wrote to memory of 2668 2644 regsvr32.exe cmd.exe PID 2644 wrote to memory of 2668 2644 regsvr32.exe cmd.exe PID 2644 wrote to memory of 2668 2644 regsvr32.exe cmd.exe PID 2668 wrote to memory of 3040 2668 cmd.exe rundll32.exe PID 2668 wrote to memory of 3040 2668 cmd.exe rundll32.exe PID 2668 wrote to memory of 3040 2668 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7_JC.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0022-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5639308280fec1452f14b51e0b08c3ce6
SHA18626121d3888d1a46447002e50ca91c3479e45b6
SHA25631e837b830649ec103160ed5629ee3d6461c5ed9219a016ad55dd7b4ba01d196
SHA512acb5e9b9165ce2a977c5fdae51b7c2f062d8d83652d5b2ed79ee05bd1421e3f4a332af691ba41772ec93089250e2f8528fc26d07a9db6f919ae233bcf6a99237
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
328KB
MD5518feb430bc216a4a3240ebd246c0a88
SHA15e692a03d01874e33376e85ab5d51840adbe5ed8
SHA2563366a497c8c9a44557612b96cf49f307b10e4f1857dd622d1ffc1246bf4dae91
SHA512a771b15c5daf9e6abcacf13364ae17a00e648735df3fa47d7dfb50bcded55f7b3cbe03f145cb40e0233a49ef99077166823e5fcea7c7c286bbf7d17bed7cc39a
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
328KB
MD5518feb430bc216a4a3240ebd246c0a88
SHA15e692a03d01874e33376e85ab5d51840adbe5ed8
SHA2563366a497c8c9a44557612b96cf49f307b10e4f1857dd622d1ffc1246bf4dae91
SHA512a771b15c5daf9e6abcacf13364ae17a00e648735df3fa47d7dfb50bcded55f7b3cbe03f145cb40e0233a49ef99077166823e5fcea7c7c286bbf7d17bed7cc39a