Analysis

  • max time kernel
    183s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 16:08

General

  • Target

    8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs

  • Size

    1012KB

  • MD5

    20a3e701e9a1e20c83a8ad5d387ad3cd

  • SHA1

    3b18b70e62aef8d46ba5ad0385d1a0e3d139f2e3

  • SHA256

    8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a

  • SHA512

    323e780b368705b7f00d0662530d8c91f4f87a4d17615915976b3b9d88a6b6914a42658c66f2436a9dcc0b48d5ebc463189be69faea56119be7bcef619d64e57

  • SSDEEP

    6144:QI5hC7gl0z9IyjyHUPx9nO3Sd+tw+aN1glujVzB7e1mY1XhnL3Q0zoFIkCMkUZ+b:DNu8C5pNBe1v0lrYvV9V/vj

Malware Config

Extracted

Family

icedid

Campaign

361893872

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C://windows/Temp/0328-1.dll
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{1BA8F424-A89D-88F1-16F4-42A663196520}\ahqowiackf2.dll,#1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Roaming\{1BA8F424-A89D-88F1-16F4-42A663196520}\ahqowiackf2.dll,#1
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Modifies registry class
          PID:4852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\{1BA8F424-A89D-88F1-16F4-42A663196520}\ahqowiackf2.dll

    Filesize

    556KB

    MD5

    002c64d47bf8c0878ac8ec2b4740f682

    SHA1

    acc44c89420270083de7d67b025748a4b98071ed

    SHA256

    b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

    SHA512

    80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

  • C:\Users\Admin\AppData\Roaming\{1BA8F424-A89D-88F1-16F4-42A663196520}\ahqowiackf2.dll

    Filesize

    556KB

    MD5

    002c64d47bf8c0878ac8ec2b4740f682

    SHA1

    acc44c89420270083de7d67b025748a4b98071ed

    SHA256

    b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1

    SHA512

    80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd

  • C:\Windows\Temp\0328-1.dll

    Filesize

    328KB

    MD5

    8ad0d83ffb343ca6a291b412bf7505e0

    SHA1

    20a379e488b213a36d36a10d5242a197976e048a

    SHA256

    e4bdfa069c1d493eb4add6087d6853360a669686ebd69242b37dd7e65e1b9153

    SHA512

    f3981edac4d4ece3bdf6edcec816c8356e3dc16dc4809443b1e374003140a53c88ef1a3154743a506fde41369f86458e64c04f4f92ef2103221d064b7c61f2ff

  • C:\windows\Temp\0328-1.dll

    Filesize

    328KB

    MD5

    8ad0d83ffb343ca6a291b412bf7505e0

    SHA1

    20a379e488b213a36d36a10d5242a197976e048a

    SHA256

    e4bdfa069c1d493eb4add6087d6853360a669686ebd69242b37dd7e65e1b9153

    SHA512

    f3981edac4d4ece3bdf6edcec816c8356e3dc16dc4809443b1e374003140a53c88ef1a3154743a506fde41369f86458e64c04f4f92ef2103221d064b7c61f2ff

  • memory/2820-7-0x0000000001210000-0x000000000121D000-memory.dmp

    Filesize

    52KB

  • memory/2820-9-0x0000000001210000-0x000000000121D000-memory.dmp

    Filesize

    52KB

  • memory/2820-4-0x0000000001210000-0x000000000121D000-memory.dmp

    Filesize

    52KB

  • memory/4852-13-0x000002348E0B0000-0x000002348E0FF000-memory.dmp

    Filesize

    316KB

  • memory/4852-14-0x000002348FA00000-0x000002348FA4C000-memory.dmp

    Filesize

    304KB

  • memory/4852-19-0x000002348FA00000-0x000002348FA4C000-memory.dmp

    Filesize

    304KB

  • memory/4852-20-0x000002348FA00000-0x000002348FA4C000-memory.dmp

    Filesize

    304KB

  • memory/4852-21-0x000002348E0B0000-0x000002348E0FF000-memory.dmp

    Filesize

    316KB

  • memory/4852-24-0x000002348FA00000-0x000002348FA4C000-memory.dmp

    Filesize

    304KB

  • memory/4852-25-0x000002348FA00000-0x000002348FA4C000-memory.dmp

    Filesize

    304KB

  • memory/4852-27-0x000002348FA00000-0x000002348FA4C000-memory.dmp

    Filesize

    304KB