Malware Analysis Report

2024-10-18 23:50

Sample ID 231012-tlbr2aad7t
Target 8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs
SHA256 8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc
Tags
icedid 361893872 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc

Threat Level: Known bad

The file 8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs was found to be: Known bad.

Malicious Activity Summary

icedid 361893872 banker trojan

IcedID, BokBot

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 16:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 16:08

Reported

2023-10-16 17:12

Platform

win7-20230831-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\CLSID\{CD1A6948-1029-6F7B-A9B0-B5B689432798} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\CLSID\{CD1A6948-1029-6F7B-A9B0-B5B689432798}\ = a43d5f98cd15ecc752b0855665d7073e6a02593e2cd6870dba8491df3f156301f6c0402f315f60d37ce179d5f6c4b31fcd04504a06031ad8cbbb3f789b14b2728cbd5d6715a5bbe92494c674a4ed4962d0410a2ae60a8fb98419f4289e4efe5387af674c0390bc8d0c65899ec389f20146847f9fe9e2bcfefd340c9636ec25ee9f345026cc5e99c03f5153305c4cb31376a394e69baf89d92159d5e6929e76a70af3757d170f3e5bd1e46624d11042ca1ea47abe906c4832c79fc773693153d89bf2572f2e4d3551de07662a4248c544ea76bc526da3107b55ba047ead017e619d426e2c5843ca8126cb950021bf1d6074dc087ca9fcc79336d1e7e3a63d72db81ad892044bb1fffb4f272bed1ad0340d39914d3 C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0494-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 jerryposter.com udp
RU 77.105.140.181:443 jerryposter.com tcp

Files

C:\windows\Temp\0494-1.dll

MD5 d7e6bc7d9983adc4dd2820d00756c7c0
SHA1 15fa33e71a2c20f73bc4595546b1494ec2e561b0
SHA256 f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
SHA512 42d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001

\Windows\Temp\0494-1.dll

MD5 d7e6bc7d9983adc4dd2820d00756c7c0
SHA1 15fa33e71a2c20f73bc4595546b1494ec2e561b0
SHA256 f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
SHA512 42d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001

memory/3036-4-0x00000000002A0000-0x00000000002AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBAB9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/3036-22-0x00000000002A0000-0x00000000002AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

\Users\Admin\AppData\Roaming\Admin\Admin\Abufackw.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

memory/2504-29-0x0000000001AC0000-0x0000000001B0F000-memory.dmp

memory/2504-30-0x0000000001D60000-0x0000000001DAC000-memory.dmp

memory/2504-35-0x0000000001D60000-0x0000000001DAC000-memory.dmp

memory/2504-36-0x0000000001D60000-0x0000000001DAC000-memory.dmp

memory/2504-37-0x0000000001AC0000-0x0000000001B0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarF384.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7468a08db9bcc2e67322f51fa8d0669
SHA1 66b1050600f05920cb0de51aab629214469f3017
SHA256 c936b1001a546ae78694c441f508fc85e5b1e8006dbe12eb382b145e983e4121
SHA512 c73da20db342404e12ad0f6302616b8b9ca7fd9a919a51416928178b3da44483495927b00625df46cae8a9662c0966a5a086dec94c4d4c0cacabca5094a09f36

memory/2504-57-0x0000000001D60000-0x0000000001DAC000-memory.dmp

memory/2504-56-0x0000000001D60000-0x0000000001DAC000-memory.dmp

memory/2504-59-0x0000000001D60000-0x0000000001DAC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 16:08

Reported

2023-10-16 17:15

Platform

win10v2004-20230915-en

Max time kernel

132s

Max time network

167s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs"

Signatures

IcedID, BokBot

trojan banker icedid

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{22C48B53-EB1E-CD28-5E74-542AA472D77E} C:\Windows\system32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{22C48B53-EB1E-CD28-5E74-542AA472D77E}\ = c06fb6051a2fd7f129d6169e5931aa812ae209a668f0b4755e969ed3c1802e2e984d81ce60f60d3c62603836c63c17adf4730a2d54f83ee66c6b0744edcf14818421970afaf91dd89f609ca39e6e07fd14e3b9e2cab06a8883953a47507347b634c914aa503e73a37500d8f19fff1b12dcd106445f299ecf8453deb9ca3acca181bd8db1964daf2b354cda0deb70b51070a094e61befe9a9693dc71f07d319f96fa28ef9c9586aa1940579b409c49491bc55e16aaad7ae0141dc6100b185b90bf13fe857ea6f24c61a6537c39faf17af6628d5cf1aeb6c21b0e99ebb883256eddfe39f374cb991a71573b112a67bbf91ed0b5257a7f349ce63a48c311ff8dfa49527d6f6f1f0fdeebdfd7c331cc08ebd0a0c4f27 C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 8 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 1164 wrote to memory of 8 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\regsvr32.exe
PID 8 wrote to memory of 3340 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 8 wrote to memory of 3340 N/A C:\Windows\System32\regsvr32.exe C:\Windows\System32\cmd.exe
PID 3340 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3340 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a271be660b40e3b923bc8ba9479aa54d38cb232dd27e1217ad26e547e3a73bc_JC.vbs"

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0494-1.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 modalefastnow.com udp
IQ 212.18.104.12:443 modalefastnow.com tcp
IQ 212.18.104.12:80 modalefastnow.com tcp
US 8.8.8.8:53 12.104.18.212.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 jerryposter.com udp
RU 77.105.140.181:443 jerryposter.com tcp
US 8.8.8.8:53 181.140.105.77.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\windows\Temp\0494-1.dll

MD5 d7e6bc7d9983adc4dd2820d00756c7c0
SHA1 15fa33e71a2c20f73bc4595546b1494ec2e561b0
SHA256 f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
SHA512 42d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001

C:\Windows\Temp\0494-1.dll

MD5 d7e6bc7d9983adc4dd2820d00756c7c0
SHA1 15fa33e71a2c20f73bc4595546b1494ec2e561b0
SHA256 f324bb47090d388fca1015260f66f67b708e8451292cd5679791792c90d5b711
SHA512 42d534bd586e8ffec3ec170409667becec6206f97701497527ca1c8a35a6b251f6d9b24304d08b3460761abff6394446af11bed19c35a24affe9b165c50e7001

memory/8-4-0x0000000000D30000-0x0000000000D3D000-memory.dmp

memory/8-8-0x0000000000D30000-0x0000000000D3D000-memory.dmp

C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

C:\Users\Admin\AppData\Local\Admin\{8BCA64C5-ED77-8646-8F62-ACCAF0958105}\Arcoteacuo32.dll

MD5 002c64d47bf8c0878ac8ec2b4740f682
SHA1 acc44c89420270083de7d67b025748a4b98071ed
SHA256 b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA512 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

memory/2628-12-0x000001CBE1B20000-0x000001CBE1B6F000-memory.dmp

memory/2628-13-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

memory/2628-18-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

memory/2628-19-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

memory/2628-20-0x000001CBE1B20000-0x000001CBE1B6F000-memory.dmp

memory/2628-22-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

memory/2628-23-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp

memory/2628-25-0x000001CBE34D0000-0x000001CBE351C000-memory.dmp