Analysis Overview
SHA256
93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3
Threat Level: Known bad
The file 93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3_JC.vbs was found to be: Known bad.
Malicious Activity Summary
IcedID, BokBot
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 16:13
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 16:13
Reported
2023-10-16 17:36
Platform
win10v2004-20230915-en
Max time kernel
165s
Max time network
167s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{77C6D694-E92A-D702-B889-F88C503F6DD8} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{77C6D694-E92A-D702-B889-F88C503F6DD8}\ = 838d275cefba9cdfa61af89344b81736961452b013221d4ad8d77903298cb067e5ca3d38bbe096ce6bfbf28b819059c22a56fb86688a67017e7093824e7dddec4d1c2eafa9dfaee29a631ce37e5e7f19862a969caf21257425a80d7fb4c1b0aa22d2e08ca32074a1f6c0b86157435d3fb39d789d6aa25ceef5b842eb5371526663ae05fde828729c1d6028544ec38f254b44a651e7e96af79ea98db2e8fd285022cf974ca033385851a486b4898434c164f19721568d7bba037d56b805ff6ea18e7909f81ae7f870af9ea18831c0797edf8d18a0f2772a4023a1823dcd11c6552375d49ba21460ae08fa6c2512c17ab25be0fe652ebe6463ae853dc8d85aa0f47d3b40cf8a2656d23bbc1be3343c58d4e5929e9e | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 4076 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 5028 wrote to memory of 4076 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\regsvr32.exe |
| PID 4076 wrote to memory of 1960 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 4076 wrote to memory of 1960 | N/A | C:\Windows\System32\regsvr32.exe | C:\Windows\System32\cmd.exe |
| PID 1960 wrote to memory of 3964 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1960 wrote to memory of 3964 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\rundll32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0291-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | 12.104.18.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jkbarmossen.com | udp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 8.8.8.8:53 | 62.204.255.173.in-addr.arpa | udp |
| US | 173.255.204.62:443 | jkbarmossen.com | tcp |
| US | 8.8.8.8:53 | evinakortu.com | udp |
| BG | 94.232.46.27:443 | evinakortu.com | tcp |
| US | 8.8.8.8:53 | hofsaalos.com | udp |
| RU | 92.118.112.113:443 | hofsaalos.com | tcp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| RU | 77.105.142.135:443 | skrechelres.com | tcp |
| US | 8.8.8.8:53 | 126.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.142.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
C:\windows\Temp\0291-1.dll
| MD5 | 18e3ba07f71f96cd6f174846f607bc4e |
| SHA1 | 6e263fec38683f76f5b8c5c53eea1b333d7dbd8f |
| SHA256 | 226faebe0332ae4972d6bbc0e99553b4875322fb4336dfe3e42462d4c3624e79 |
| SHA512 | 33010f0eaef846be5143e30cd307c61c36e3c34c04ee4380539caa63dec62854a3a7881ef1881ecc38ff6680bdcafde98e175e218bb1e8b4cd197742f396929a |
C:\Windows\Temp\0291-1.dll
| MD5 | 18e3ba07f71f96cd6f174846f607bc4e |
| SHA1 | 6e263fec38683f76f5b8c5c53eea1b333d7dbd8f |
| SHA256 | 226faebe0332ae4972d6bbc0e99553b4875322fb4336dfe3e42462d4c3624e79 |
| SHA512 | 33010f0eaef846be5143e30cd307c61c36e3c34c04ee4380539caa63dec62854a3a7881ef1881ecc38ff6680bdcafde98e175e218bb1e8b4cd197742f396929a |
memory/4076-4-0x0000000000AB0000-0x0000000000ABD000-memory.dmp
memory/4076-8-0x0000000000AB0000-0x0000000000ABD000-memory.dmp
C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
memory/3964-12-0x000002899B1C0000-0x000002899B20F000-memory.dmp
memory/3964-13-0x000002899B260000-0x000002899B2AC000-memory.dmp
memory/3964-18-0x000002899B260000-0x000002899B2AC000-memory.dmp
memory/3964-19-0x000002899B260000-0x000002899B2AC000-memory.dmp
memory/3964-20-0x000002899B1C0000-0x000002899B20F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 978941f4914e6a7648a4ce856004f60c |
| SHA1 | 4a61256d35fa686f053c4a3332381b01a80d1f74 |
| SHA256 | 928a676a762a83b4f93d93e05f67fd213a115018b1b1c7345b234f5e10ece287 |
| SHA512 | 50f5a78de0fb85e5a0301ab82550aa6e7f41bcc3f5b9c513b9a0cbcf1f7b6c954455006b9d486fc7fb2dc4e3b5653b0217e0c5312d90a29bf58923632b97acc5 |
memory/3964-26-0x000002899B260000-0x000002899B2AC000-memory.dmp
memory/3964-27-0x000002899B260000-0x000002899B2AC000-memory.dmp
memory/3964-29-0x000002899B260000-0x000002899B2AC000-memory.dmp
C:\Users\Admin\AppData\Roaming\erevgubd3\Admin\Weistaacnn.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
memory/4216-31-0x0000021D7D940000-0x0000021D7D98F000-memory.dmp
memory/4216-32-0x0000021D7DB00000-0x0000021D7DB4C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 16:13
Reported
2023-10-16 17:37
Platform
win7-20230831-en
Max time kernel
125s
Max time network
136s
Command Line
Signatures
IcedID, BokBot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\CLSID\{F699FD4F-582E-0504-D361-4CA8EBBF4E36} | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\CLSID\{F699FD4F-582E-0504-D361-4CA8EBBF4E36}\ = db69b5875bcc07e92d5055bee989ee633dfafd005b4e43af490ccd75727afb45547378dbebb87258308f24207f8751ce24cb4e430b1cacbdb8dd6c16841233312c0d25337f3a7d88f73c7ab2855ae1cea2587fc13a98d6eaf272e6514b6741b536c86bb2d4fc52d29c5dfd40e47bd97d942d8019287df4d2f3bb42eb53f19286732649532585cbd9bc9730c0f4f8f9feeff6ed3dbd1ce334bc98b4153a2abc8a37d6e4aa337d57c664ad0dfef46129565c05c98624960fd0187fd77be56fa68d301cf85fe6f1733cc183a40972a08966db8f99615547a28cc9ec9fb410465c96c5e61c772cc9096337c2187ff79222d6cd9b2a4bd11855dc9a3fca924f20f31ae27da11ce2eae8eb3ebf1d6074dc88bc098c8f87 | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d1e2cb11d3c40ce8f90faf5168e72b2a246688255b12a22c17dba101cf79b3_JC.vbs"
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C://windows/Temp/0291-1.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll,#1
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modalefastnow.com | udp |
| IQ | 212.18.104.12:443 | modalefastnow.com | tcp |
| IQ | 212.18.104.12:80 | modalefastnow.com | tcp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | skrechelres.com | udp |
| US | 8.8.8.8:53 | jerryposter.com | udp |
| RU | 77.105.140.181:443 | jerryposter.com | tcp |
Files
C:\windows\Temp\0291-1.dll
| MD5 | 18e3ba07f71f96cd6f174846f607bc4e |
| SHA1 | 6e263fec38683f76f5b8c5c53eea1b333d7dbd8f |
| SHA256 | 226faebe0332ae4972d6bbc0e99553b4875322fb4336dfe3e42462d4c3624e79 |
| SHA512 | 33010f0eaef846be5143e30cd307c61c36e3c34c04ee4380539caa63dec62854a3a7881ef1881ecc38ff6680bdcafde98e175e218bb1e8b4cd197742f396929a |
\Windows\Temp\0291-1.dll
| MD5 | 18e3ba07f71f96cd6f174846f607bc4e |
| SHA1 | 6e263fec38683f76f5b8c5c53eea1b333d7dbd8f |
| SHA256 | 226faebe0332ae4972d6bbc0e99553b4875322fb4336dfe3e42462d4c3624e79 |
| SHA512 | 33010f0eaef846be5143e30cd307c61c36e3c34c04ee4380539caa63dec62854a3a7881ef1881ecc38ff6680bdcafde98e175e218bb1e8b4cd197742f396929a |
memory/2652-4-0x0000000000130000-0x000000000013D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9002.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2652-22-0x0000000000130000-0x000000000013D000-memory.dmp
memory/2652-23-0x0000000000130000-0x000000000013D000-memory.dmp
\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
C:\Users\Admin\AppData\Roaming\Admin\Admin\ojasduacot.dll
| MD5 | 002c64d47bf8c0878ac8ec2b4740f682 |
| SHA1 | acc44c89420270083de7d67b025748a4b98071ed |
| SHA256 | b4f17e438636e166a94b2cd7c83e1c2b3cf1184122b6204521c1024e293ba8b1 |
| SHA512 | 80f44373c7dc7a08d94b65e1f830e6d922ae9b8fefca5beadaf6a1a8c33622219da404bed11daeb7de03f1b3432782a11cd019ff814b981b9e6885066666affd |
memory/2540-30-0x0000000001BB0000-0x0000000001BFF000-memory.dmp
memory/2540-31-0x0000000001DC0000-0x0000000001E0C000-memory.dmp
memory/2540-36-0x0000000001DC0000-0x0000000001E0C000-memory.dmp
memory/2540-37-0x0000000001DC0000-0x0000000001E0C000-memory.dmp
memory/2540-38-0x0000000001BB0000-0x0000000001BFF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a19c933236ede6b8071460e8e847b8ae |
| SHA1 | 578bbd1b5bd479d7ecf86459185cf99d6c1b1cad |
| SHA256 | 8d8a979c742c638fdbcf46cfe5c1a367dfdd3a4310acf4340b41d290d2b36894 |
| SHA512 | f84246e1d7e6af9902b0981be895ab339e28900c1d86b7e836dc8bff0f07a406ecae58ba14891cec59835bbe3243a44742c35ee618e35eb6622a022495edf26b |
C:\Users\Admin\AppData\Local\Temp\Tar29C0.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/2540-57-0x0000000001DC0000-0x0000000001E0C000-memory.dmp
memory/2540-58-0x0000000001DC0000-0x0000000001E0C000-memory.dmp
memory/2540-60-0x0000000001DC0000-0x0000000001E0C000-memory.dmp