Analysis
-
max time kernel
183s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs
Resource
win7-20230831-en
General
-
Target
8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs
-
Size
1012KB
-
MD5
20a3e701e9a1e20c83a8ad5d387ad3cd
-
SHA1
3b18b70e62aef8d46ba5ad0385d1a0e3d139f2e3
-
SHA256
8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a
-
SHA512
323e780b368705b7f00d0662530d8c91f4f87a4d17615915976b3b9d88a6b6914a42658c66f2436a9dcc0b48d5ebc463189be69faea56119be7bcef619d64e57
-
SSDEEP
6144:QI5hC7gl0z9IyjyHUPx9nO3Sd+tw+aN1glujVzB7e1mY1XhnL3Q0zoFIkCMkUZ+b:DNu8C5pNBe1v0lrYvV9V/vj
Malware Config
Extracted
icedid
361893872
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 51 4852 rundll32.exe 59 4852 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 2820 regsvr32.exe 4852 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3} rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\CLSID\{BF545EFF-1B42-ED22-5E98-BCE1DD3C18F3}\ = 7cd98d73c18b257af5fc6b4971cd8c70b5266bd5e03416c4973be746089f282b1b8de11e484aeb0f4a548253357a74f303db36dfcdbfdcb54487c9a5fcc6190eda54828104ae37d791e941b68b557d18076bf58c17955b234f37cb5ec7a9ec483349d48a206617f18e24e6c6279be9154007bdfe1a4a4874201db1a1ce38cfa1813dcd11c6552375c286395f42bd1ae87422cb4e57c186e5972452a4fd46d215c19f3f000efa156134d591385753205b51f89cab8bd82e41214c295c57d062af8774944ddf04eefbe370bc0df0632996035b438404ec6ea2f0c98e8334d4e5257b9106404642cb02e66ba5082d2548458786ad0f73492cbf04f86a2287cc5967b3943eda8319e0efbcfefcf3bcf0f6e960d3f94e rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2820 regsvr32.exe 2820 regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.exeregsvr32.execmd.exedescription pid process target process PID 2936 wrote to memory of 2820 2936 WScript.exe regsvr32.exe PID 2936 wrote to memory of 2820 2936 WScript.exe regsvr32.exe PID 2820 wrote to memory of 2236 2820 regsvr32.exe cmd.exe PID 2820 wrote to memory of 2236 2820 regsvr32.exe cmd.exe PID 2236 wrote to memory of 4852 2236 cmd.exe rundll32.exe PID 2236 wrote to memory of 4852 2236 cmd.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5c7a8cdda35d77ae8e90a14e0732b6b48e4efb453434ac4d5e7df0e625b06a_JC.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0328-1.dll2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\{1BA8F424-A89D-88F1-16F4-42A663196520}\ahqowiackf2.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Roaming\{1BA8F424-A89D-88F1-16F4-42A663196520}\ahqowiackf2.dll,#14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies registry class
PID:4852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
556KB
MD5002c64d47bf8c0878ac8ec2b4740f682
SHA1acc44c89420270083de7d67b025748a4b98071ed
SHA256b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1
SHA51280f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd
-
Filesize
328KB
MD58ad0d83ffb343ca6a291b412bf7505e0
SHA120a379e488b213a36d36a10d5242a197976e048a
SHA256e4bdfa069c1d493eb4add6087d6853360a669686ebd69242b37dd7e65e1b9153
SHA512f3981edac4d4ece3bdf6edcec816c8356e3dc16dc4809443b1e374003140a53c88ef1a3154743a506fde41369f86458e64c04f4f92ef2103221d064b7c61f2ff
-
Filesize
328KB
MD58ad0d83ffb343ca6a291b412bf7505e0
SHA120a379e488b213a36d36a10d5242a197976e048a
SHA256e4bdfa069c1d493eb4add6087d6853360a669686ebd69242b37dd7e65e1b9153
SHA512f3981edac4d4ece3bdf6edcec816c8356e3dc16dc4809443b1e374003140a53c88ef1a3154743a506fde41369f86458e64c04f4f92ef2103221d064b7c61f2ff