Analysis

  • max time kernel
    132s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 16:08

General

  • Target

    8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs

  • Size

    1012KB

  • MD5

    1f748b8c698897498ad07a6362e780f1

  • SHA1

    d931d2c1b103b41561db7760cf882c523624d28a

  • SHA256

    8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc

  • SHA512

    992c70b8c9c308b0de74bb0e31fab54a5144cf5de73d427e42f07181d61c109b6f5663fb794f2a349e527b6e6a0a535d34895e1b5b3041db87d9fd125934eeb7

  • SSDEEP

    6144:06OqlFA5GwtqDUJxtl6O2m07woeVIbNMFiczYClIFLCUygb8RII8auz1DJu1RGvg:7AF4hYimSCkAHuGGGPwfCeWz

Malware Config

Extracted

Family

icedid

Campaign

361893872

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C://windows/Temp/0494-1.dll
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll,#1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll,#1
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Modifies registry class
          PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll

    Filesize

    556KB

    MD5

    002c64d47bf8c0878ac8ec2b4740f682

    SHA1

    acc44c89420270083de7d67b025748a4b98071ed

    SHA256

    b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

    SHA512

    80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

  • C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll

    Filesize

    556KB

    MD5

    002c64d47bf8c0878ac8ec2b4740f682

    SHA1

    acc44c89420270083de7d67b025748a4b98071ed

    SHA256

    b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

    SHA512

    80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

  • C:\Windows\Temp\0494-1.dll

    Filesize

    328KB

    MD5

    d7e6bc7d9983adc4dd2820d00756c7c0

    SHA1

    15fa33e71a2c20f73bc4595546b1494ec2e561b0

    SHA256

    f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711

    SHA512

    42d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001

  • C:\windows\Temp\0494-1.dll

    Filesize

    328KB

    MD5

    d7e6bc7d9983adc4dd2820d00756c7c0

    SHA1

    15fa33e71a2c20f73bc4595546b1494ec2e561b0

    SHA256

    f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711

    SHA512

    42d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001

  • memory/8-4-0x0000000000D30000-0x0000000000D3D000-memory.dmp

    Filesize

    52KB

  • memory/8-8-0x0000000000D30000-0x0000000000D3D000-memory.dmp

    Filesize

    52KB

  • memory/2628-12-0x000001CBE1B20000-0x000001CBE1B6F000-memory.dmp

    Filesize

    316KB

  • memory/2628-13-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

    Filesize

    304KB

  • memory/2628-18-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

    Filesize

    304KB

  • memory/2628-19-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

    Filesize

    304KB

  • memory/2628-20-0x000001CBE1B20000-0x000001CBE1B6F000-memory.dmp

    Filesize

    316KB

  • memory/2628-22-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

    Filesize

    304KB

  • memory/2628-23-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

    Filesize

    304KB

  • memory/2628-25-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

    Filesize

    304KB