icedid | 385794d14430b56014a7ec11add05404f0038dc39b6e0f6617c67a13128e176a

General

Target

dictate,12.07.2020.doc
Size

74KB
MD5

5b14a94211accca8f8a1ff5817af10f4
SHA1

f52cffebeda9aba7ddea487b71b5b689ab0212f4
SHA256

385794d14430b56014a7ec11add05404f0038dc39b6e0f6617c67a13128e176a
SHA512

ffb1e76deca20465b5c13999a6fbe5ebcb4fff858aaf7beffb4c08c79704c9623b214000e410b96b478b1edfa19825f0ff1125da68255e3b1bf6432151948d45

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3236	4772	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 9 IoCs

Processes:

mshta.exerundll32.exe

flow	pid	process
14	4076	mshta.exe
29	4528	rundll32.exe
31	4528	rundll32.exe
33	4528	rundll32.exe
39	4528	rundll32.exe
41	4528	rundll32.exe
43	4528	rundll32.exe
45	4528	rundll32.exe
46	4528	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4528 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4528	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4772 WINWORD.EXE
4772 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4528 rundll32.exe
4528 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	rundll32.exe

pid	process
4528	rundll32.exe
4528	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE
4772	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 4772 wrote to memory of 3236	4772	WINWORD.EXE	rundll32.exe
PID 4772 wrote to memory of 3236	4772	WINWORD.EXE	rundll32.exe
PID 3236 wrote to memory of 4076	3236	rundll32.exe	mshta.exe
PID 3236 wrote to memory of 4076	3236	rundll32.exe	mshta.exe
PID 3236 wrote to memory of 4076	3236	rundll32.exe	mshta.exe
PID 4076 wrote to memory of 4528	4076	mshta.exe	rundll32.exe
PID 4076 wrote to memory of 4528	4076	mshta.exe	rundll32.exe
PID 4076 wrote to memory of 4528	4076	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate,12.07.2020.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aPJ75.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
f1fd3c7339f246952ea4d133c1c434c9

SHA1
769ea491fe690db6be9d35c7897b851533da17b9

SHA256
cf7884282315ddb95585e8f132af0c05e679ef2b92a3365f6e0eeefc49f36b57

SHA512
865e70290ea4529c35c60805f35f9b6777de9a5c99cc4c3f067afd59f04f882974d5b2a03b23b14b313906de7c6093c671f6ad5f288cc7968479cb5a9a1f58be

Download Submit
\??\c:\programdata\aPJ75.pdf
MD5
b5af056d1743a032d9e832db1de90681

SHA1
3e80686d7fe8439859034e0043614d8e3398ba54

SHA256
768a3a123f18073fc2caaa367e10dd880eb39d88669bf89a01f1c73e30b44be3

SHA512
216a867d4e97422677595ad946d6a57b46d535849bf1d69ecdb51bb2bf372c724d9405a39ec60dc2f88e00686613d81c70cfbcc85db9874465ef97b03e344520

Download Submit
\ProgramData\aPJ75.pdf
MD5
b5af056d1743a032d9e832db1de90681

SHA1
3e80686d7fe8439859034e0043614d8e3398ba54

SHA256
768a3a123f18073fc2caaa367e10dd880eb39d88669bf89a01f1c73e30b44be3

SHA512
216a867d4e97422677595ad946d6a57b46d535849bf1d69ecdb51bb2bf372c724d9405a39ec60dc2f88e00686613d81c70cfbcc85db9874465ef97b03e344520

Download Submit
memory/3236-6-0x0000000000000000-mapping.dmp

Download
memory/4076-8-0x0000000000000000-mapping.dmp

Download
memory/4528-9-0x0000000000000000-mapping.dmp

Download
memory/4772-2-0x00007FFBDF9B0000-0x00007FFBDFFE7000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads