Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs
Resource
win7-20230831-en
General
-
Target
8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs
-
Size
1012KB
-
MD5
20a3e701e9a1e20c83a8ad5d387ad3cd
-
SHA1
3b18b70e62aef8d46ba5ad0385d1a0e3d139f2e3
-
SHA256
8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a
-
SHA512
323e780b368705b7f00d0662530d8c91f4f87a4d17615915976b3b9d88a6b6914a42658c66f2436a9dcc0b48d5ebc463189be69faea56119be7bcef619d64e57
-
SSDEEP
6144:QI5hC7gl0z9IyjyHUPx9nO3Sd+tw+aN1glujVzB7e1mY1XhnL3Q0zoFIkCMkUZ+b:DNu8C5pNBe1v0lrYvV9V/vj
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 8 2684 rundll32.exe 10 2684 rundll32.exe 12 2684 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 2420 regsvr32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2420 regsvr32.exe 2420 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 2364 wrote to memory of 2420 2364 WScript.exe regsvr32.exe PID 2364 wrote to memory of 2420 2364 WScript.exe regsvr32.exe PID 2364 wrote to memory of 2420 2364 WScript.exe regsvr32.exe PID 2364 wrote to memory of 2420 2364 WScript.exe regsvr32.exe PID 2364 wrote to memory of 2420 2364 WScript.exe regsvr32.exe PID 2420 wrote to memory of 2548 2420 regsvr32.exe cmd.exe PID 2420 wrote to memory of 2548 2420 regsvr32.exe cmd.exe PID 2420 wrote to memory of 2548 2420 regsvr32.exe cmd.exe PID 2548 wrote to memory of 2684 2548 cmd.exe rundll32.exe PID 2548 wrote to memory of 2684 2548 cmd.exe rundll32.exe PID 2548 wrote to memory of 2684 2548 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0328-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Local\yokibd\Admin\ejeqacfb1.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\yokibd\Admin\ejeqacfb1.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
328KB
MD58ad0d83ffb343ca6a291b412bf7505e0
SHA120a379e488b213a36d36a10d5242a197976e048a
SHA256e4bdfa069c1d493eb4add6087d6853360a669686ebd69242b37dd7e65e1b9153
SHA512f3981edac4d4ece3bdf6edcec816c8356e3dc16dc4809443b1e374003140a53c88ef1a3154743a506fde41369f86458e64c04f4f92ef2103221d064b7c61f2ff
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
328KB
MD58ad0d83ffb343ca6a291b412bf7505e0
SHA120a379e488b213a36d36a10d5242a197976e048a
SHA256e4bdfa069c1d493eb4add6087d6853360a669686ebd69242b37dd7e65e1b9153
SHA512f3981edac4d4ece3bdf6edcec816c8356e3dc16dc4809443b1e374003140a53c88ef1a3154743a506fde41369f86458e64c04f4f92ef2103221d064b7c61f2ff