icedid | 2016bab0c36eafaba9a47f2872310f48613e055492bb7b450ce807cec8ed0a53

General

Target

files.12.20.doc
Size

76KB
MD5

277c10ae03a3921e32a583433bf9da1b
SHA1

a3dd37ef2a327ab4b835c493bc25ca720837af23
SHA256

2016bab0c36eafaba9a47f2872310f48613e055492bb7b450ce807cec8ed0a53
SHA512

a48caa5d129eb97779483e84e2fe2f6cb07caea7e239e1a2216b9eaf67ce427c6ba475f7e92907b2d12884281f95775e8ed684ae5c769a9bb1a71690e52ded5b

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2172	4636	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 9 IoCs

Processes:

mshta.exerundll32.exe

flow	pid	process
14	3912	mshta.exe
30	2512	rundll32.exe
32	2512	rundll32.exe
34	2512	rundll32.exe
38	2512	rundll32.exe
40	2512	rundll32.exe
42	2512	rundll32.exe
44	2512	rundll32.exe
45	2512	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2512 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2512	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4636 WINWORD.EXE
4636 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2512 rundll32.exe
2512 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	rundll32.exe

pid	process
2512	rundll32.exe
2512	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE
4636	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 4636 wrote to memory of 2172	4636	WINWORD.EXE	rundll32.exe
PID 4636 wrote to memory of 2172	4636	WINWORD.EXE	rundll32.exe
PID 2172 wrote to memory of 3912	2172	rundll32.exe	mshta.exe
PID 2172 wrote to memory of 3912	2172	rundll32.exe	mshta.exe
PID 2172 wrote to memory of 3912	2172	rundll32.exe	mshta.exe
PID 3912 wrote to memory of 2512	3912	mshta.exe	rundll32.exe
PID 3912 wrote to memory of 2512	3912	mshta.exe	rundll32.exe
PID 3912 wrote to memory of 2512	3912	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\files.12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aWFPjN.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
52514804e042ebe0256a8671a7282552

SHA1
401025bdbdedf098e2dcd6f4c597d5e091785be7

SHA256
68745718c2ed1d006064a6c9f5ac15665ac7d6bc7420f8830abbb9be386cd144

SHA512
4c34a26c379d168046a05a939a007bffc95be3da6b6fc3d63d1c4f10f6b00530327ee17ffabdc2bb32bdc7fd6af7e87a014892574e91a9b310991a647bb95597

Download Submit
\??\c:\programdata\aWFPjN.pdf
MD5
a728f40b8e9c9c942be81be11aad5263

SHA1
cd89a72327993a2b6a4f62f79377bf61d56686ae

SHA256
a271d925f3f9e43f10e8f4887f3f60cbd07e94ea780a46ce512077749b3e9a02

SHA512
c618a106fbd364775fde5ae2e69393cd2bb08da0ba4863799a8aa80ce7f017dd2131150e0664574a7b8f682a6ffbfa9c7d65434c35e6ce83dfd03e972db91db5

Download Submit
\ProgramData\aWFPjN.pdf
MD5
a728f40b8e9c9c942be81be11aad5263

SHA1
cd89a72327993a2b6a4f62f79377bf61d56686ae

SHA256
a271d925f3f9e43f10e8f4887f3f60cbd07e94ea780a46ce512077749b3e9a02

SHA512
c618a106fbd364775fde5ae2e69393cd2bb08da0ba4863799a8aa80ce7f017dd2131150e0664574a7b8f682a6ffbfa9c7d65434c35e6ce83dfd03e972db91db5

Download Submit
memory/2172-5-0x0000000000000000-mapping.dmp

Download
memory/2512-8-0x0000000000000000-mapping.dmp

Download
memory/3912-7-0x0000000000000000-mapping.dmp

Download
memory/4636-2-0x00007FF9C8C40000-0x00007FF9C9277000-memory.dmp

Filesize
6.2MB

Download
memory/4636-3-0x00000193420F2000-0x00000193420F7000-memory.dmp

Filesize
20KB

Download
memory/4636-4-0x00000193420F2000-0x00000193420F7000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads