Analysis Overview
SHA256
8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7
Threat Level: Known bad
The file 8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7_JC.vbs was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 16:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 16:02
Reported
2023-10-16 17:09
Platform
win7-20230831-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\CLSID\{F699FD4F-582E-0504-D361-4CA8EBBF4E36} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\CLSID\{F699FD4F-582E-0504-D361-4CA8EBBF4E36}\ = db69b5875bcc07e92d5055bee989ee633dfafd005b4e43af490ccd75727afb45547378dbebb87258308f24207f8751ce24cb4e430b1cacbdb8dd6c16841233312c0d25337f3a7d88f73c7ab2855ae1cea2587fc13a98d6eaf272e6514b6741b536c86bb2d4fc52d29c5dfd40e47bd97d942d8019287df4d2f3bb42eb53f19286732649532585cbd9bc9730c0f4f8f9feeff6ed3dbd1ce334bc98b4153a2abc8a37d6e4aa337d57c664ad0dfef46129565c05c98624960fd0187fd77be56fa68d301cf85fe6f1733cc183a40972a08966db8f99615547a28cc9ec9fb410465c96c5e61c772cc9096337c2187ff79222d6cd9b2a4bd11855dc9a3fca924f20f31ae27da11ce2eae8eb3ebf1d6074dc88bc098c8f87 | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0022-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | jerryposter.com | udp |
| RU | 77.105.140.181:443 | jerryposter.com | tcp |
Files
C:\windows\Temp\0022-1.dll
| MD5 | 518feb430bc216a4a3240ebd246c0a88 |
| SHA1 | 5e692a03d01874e33376e85ab5d51840adbe5ed8 |
| SHA256 | 3366a497c8c9a44557612b96cf49f307b10e4f1857dd622d1ffc1246bf4dae91 |
| SHA512 | a771b15c5daf9e6abcacf13364ae17a00e648735df3fa47d7dfb50bcded55f7b3cbe03f145cb40e0233a49ef99077166823e5fcea7c7c286bbf7d17bed7cc39a |
\Windows\Temp\0022-1.dll
| MD5 | 518feb430bc216a4a3240ebd246c0a88 |
| SHA1 | 5e692a03d01874e33376e85ab5d51840adbe5ed8 |
| SHA256 | 3366a497c8c9a44557612b96cf49f307b10e4f1857dd622d1ffc1246bf4dae91 |
| SHA512 | a771b15c5daf9e6abcacf13364ae17a00e648735df3fa47d7dfb50bcded55f7b3cbe03f145cb40e0233a49ef99077166823e5fcea7c7c286bbf7d17bed7cc39a |
memory/2644-4-0x0000000000120000-0x000000000012D000-memory.dmp
memory/2644-3-0x0000000000120000-0x000000000012D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9F9B.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2644-22-0x0000000000120000-0x000000000012D000-memory.dmp
memory/2644-23-0x0000000000120000-0x000000000012D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Ihjiacnk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
memory/3040-31-0x0000000001D40000-0x0000000001D8C000-memory.dmp
memory/3040-30-0x0000000001B40000-0x0000000001B8F000-memory.dmp
memory/3040-36-0x0000000001D40000-0x0000000001D8C000-memory.dmp
memory/3040-37-0x0000000001D40000-0x0000000001D8C000-memory.dmp
memory/3040-38-0x0000000001B40000-0x0000000001B8F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 639308280fec1452f14b51e0b08c3ce6 |
| SHA1 | 8626121d3888d1a46447002e50ca91c3479e45b6 |
| SHA256 | 31e837b830649ec103160ed5629ee3d6461c5ed9219a016ad55dd7b4ba01d196 |
| SHA512 | acb5e9b9165ce2a977c5fdae51b7c2f062d8d83652d5b2ed79ee05bd1421e3f4a332af691ba41772ec93089250e2f8528fc26d07a9db6f919ae233bcf6a99237 |
C:\Users\Admin\AppData\Local\Temp\Tar1D9F.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/3040-58-0x0000000001D40000-0x0000000001D8C000-memory.dmp
memory/3040-57-0x0000000001D40000-0x0000000001D8C000-memory.dmp
memory/3040-60-0x0000000001D40000-0x0000000001D8C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 16:02
Reported
2023-10-16 17:09
Platform
win10v2004-20230915-en
Max time kernel
95s
Max time network
138s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{22C48B53-EB1E-CD28-5E74-542AA472D77E} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{22C48B53-EB1E-CD28-5E74-542AA472D77E}\ = c06fb6051a2fd7f129d6169e5931aa812ae209a668f0b4755e969ed3c1802e2e984d81ce60f60d3c62603836c63c17adf4730a2d54f83ee66c6b0744edcf14818421970afaf91dd89f609ca39e6e07fd14e3b9e2cab06a8883953a47507347b634c914aa503e73a37500d8f19fff1b12dcd106445f299ecf8453deb9ca3acca181bd8db1964daf2b354cda0deb70b51070a094e61befe9a9693dc71f07d319f96fa28ef9c9586aa1940579b409c49491bc55e16aaad7ae0141dc6100b185b90bf13fe857ea6f24c61a6537c39faf17af6628d5cf1aeb6c21b0e99ebb883256eddfe39f374cb991a71573b112a67bbf91ed0b5257a7f349ce63a48c311ff8dfa49527d6f6f1f0fdeebdfd7c331cc08ebd0a0c4f27 | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 4976 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 1540 wrote to memory of 4976 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 4976 wrote to memory of 4952 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 4976 wrote to memory of 4952 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 4952 wrote to memory of 3096 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 4952 wrote to memory of 3096 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8041f1d8a71c710538a31bc441cf3ba7678185fb75e6423bbf3733175f9dccf7_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0022-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\{5F9A09C9-354A-1192-1E64-3ABEBD5661E7}\{69E7EB9B-A9F4-C548-8CC2-9D3C7055F34E}\ehyiacsk.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\{5F9A09C9-354A-1192-1E64-3ABEBD5661E7}\{69E7EB9B-A9F4-C548-8CC2-9D3C7055F34E}\ehyiacsk.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 12.104.18.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jerryposter.com | udp |
| RU | 77.105.140.181:443 | jerryposter.com | tcp |
| US | 8.8.8.8:53 | 181.140.105.77.in-addr.arpa | udp |
Files
C:\windows\Temp\0022-1.dll
| MD5 | 518feb430bc216a4a3240ebd246c0a88 |
| SHA1 | 5e692a03d01874e33376e85ab5d51840adbe5ed8 |
| SHA256 | 3366a497c8c9a44557612b96cf49f307b10e4f1857dd622d1ffc1246bf4dae91 |
| SHA512 | a771b15c5daf9e6abcacf13364ae17a00e648735df3fa47d7dfb50bcded55f7b3cbe03f145cb40e0233a49ef99077166823e5fcea7c7c286bbf7d17bed7cc39a |
C:\Windows\Temp\0022-1.dll
| MD5 | 518feb430bc216a4a3240ebd246c0a88 |
| SHA1 | 5e692a03d01874e33376e85ab5d51840adbe5ed8 |
| SHA256 | 3366a497c8c9a44557612b96cf49f307b10e4f1857dd622d1ffc1246bf4dae91 |
| SHA512 | a771b15c5daf9e6abcacf13364ae17a00e648735df3fa47d7dfb50bcded55f7b3cbe03f145cb40e0233a49ef99077166823e5fcea7c7c286bbf7d17bed7cc39a |
memory/4976-4-0x0000000000970000-0x000000000097D000-memory.dmp
memory/4976-8-0x0000000000970000-0x000000000097D000-memory.dmp
C:\Users\Admin\AppData\Local\{5F9A09C9-354A-1192-1E64-3ABEBD5661E7}\{69E7EB9B-A9F4-C548-8CC2-9D3C7055F34E}\ehyiacsk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
C:\Users\Admin\AppData\Local\{5F9A09C9-354A-1192-1E64-3ABEBD5661E7}\{69E7EB9B-A9F4-C548-8CC2-9D3C7055F34E}\ehyiacsk.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
memory/3096-12-0x0000026AA47F0000-0x0000026AA483F000-memory.dmp
memory/3096-13-0x0000026AA48C0000-0x0000026AA490C000-memory.dmp
memory/3096-18-0x0000026AA48C0000-0x0000026AA490C000-memory.dmp
memory/3096-19-0x0000026AA48C0000-0x0000026AA490C000-memory.dmp
memory/3096-20-0x0000026AA47F0000-0x0000026AA483F000-memory.dmp
memory/3096-22-0x0000026AA48C0000-0x0000026AA490C000-memory.dmp
memory/3096-23-0x0000026AA48C0000-0x0000026AA490C000-memory.dmp
memory/3096-25-0x0000026AA48C0000-0x0000026AA490C000-memory.dmp