Analysis
-
max time kernel
132s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs
Resource
win7-20230831-en
General
-
Target
8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs
-
Size
1012KB
-
MD5
1f748b8c698897498ad07a6362e780f1
-
SHA1
d931d2c1b103b41561db7760cf882c523624d28a
-
SHA256
8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc
-
SHA512
992c70b8c9c308b0de74bb0e31fab54a5144cf5de73d427e42f07181d61c109b6f5663fb794f2a349e527b6e6a0a535d34895e1b5b3041db87d9fd125934eeb7
-
SSDEEP
6144:06OqlFA5GwtqDUJxtl6O2m07woeVIbNMFiczYClIFLCUygb8RII8auz1DJu1RGvg:7AF4hYimSCkAHuGGGPwfCeWz
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 40 2628 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 8 regsvr32.exe 2628 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{22C48B53-EB1E-CD28-5E74-542AA472D77E} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{22C48B53-EB1E-CD28-5E74-542AA472D77E}\ = c06fb6051a2fd7f129d6169e5931aa812ae209a668f0b4755e969ed3c1802e2e984d81ce60f60d3c62603836c63c17adf4730a2d54f83ee66c6b0744edcf14818421970afaf91dd89f609ca39e6e07fd14e3b9e2cab06a8883953a47507347b634c914aa503e73a37500d8f19fff1b12dcd106445f299ecf8453deb9ca3acca181bd8db1964daf2b354cda0deb70b51070a094e61befe9a9693dc71f07d319f96fa28ef9c9586aa1940579b409c49491bc55e16aaad7ae0141dc6100b185b90bf13fe857ea6f24c61a6537c39faf17af6628d5cf1aeb6c21b0e99ebb883256eddfe39f374cb991a71573b112a67bbf91ed0b5257a7f349ce63a48c311ff8dfa49527d6f6f1f0fdeebdfd7c331cc08ebd0a0c4f27 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 8 regsvr32.exe 8 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 1164 wrote to memory of 8 1164 WScript.exe regsvr32.exe PID 1164 wrote to memory of 8 1164 WScript.exe regsvr32.exe PID 8 wrote to memory of 3340 8 regsvr32.exe cmd.exe PID 8 wrote to memory of 3340 8 regsvr32.exe cmd.exe PID 3340 wrote to memory of 2628 3340 cmd.exe rundll32.exe PID 3340 wrote to memory of 2628 3340 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0494-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
328KB
MD5d7e6bc7d9983adc4dd2820d00756c7c0
SHA115fa33e71a2c20f73bc4595546b1494ec2e561b0
SHA256f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
SHA51242d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001
-
Filesize
328KB
MD5d7e6bc7d9983adc4dd2820d00756c7c0
SHA115fa33e71a2c20f73bc4595546b1494ec2e561b0
SHA256f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
SHA51242d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001