icedid | 0cc40f89721a9d22358c612aa94164b3ce259da696798c2d6fde6ad7c82d396e

General

Target

commerce ,12.20.doc
Size

73KB
MD5

ff964fd38ca1b1c28d543574f2fbbf74
SHA1

4eff0c20e4740e3e4eb53c5489d01a079c1ef3ee
SHA256

0cc40f89721a9d22358c612aa94164b3ce259da696798c2d6fde6ad7c82d396e
SHA512

23a034d28dcd837d61253cdd79c0d62c91923f03831d330e2a2cc92305e29d571b10ecd8086885b4b478044386847d92f71ce536996980675fca7f0ba5051ea2

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2068	1404	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 9 IoCs

Processes:

mshta.exerundll32.exe

flow	pid	process
22	3032	mshta.exe
29	3384	rundll32.exe
31	3384	rundll32.exe
33	3384	rundll32.exe
35	3384	rundll32.exe
37	3384	rundll32.exe
39	3384	rundll32.exe
46	3384	rundll32.exe
47	3384	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3384 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3384	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1404 WINWORD.EXE
1404 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3384 rundll32.exe
3384 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	rundll32.exe

pid	process
3384	rundll32.exe
3384	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 1404 wrote to memory of 2068	1404	WINWORD.EXE	rundll32.exe
PID 1404 wrote to memory of 2068	1404	WINWORD.EXE	rundll32.exe
PID 2068 wrote to memory of 3032	2068	rundll32.exe	mshta.exe
PID 2068 wrote to memory of 3032	2068	rundll32.exe	mshta.exe
PID 2068 wrote to memory of 3032	2068	rundll32.exe	mshta.exe
PID 3032 wrote to memory of 3384	3032	mshta.exe	rundll32.exe
PID 3032 wrote to memory of 3384	3032	mshta.exe	rundll32.exe
PID 3032 wrote to memory of 3384	3032	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce ,12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aNkDL.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
038eb5ce0b836e5cdf34b2deadff3d51

SHA1
aa55e8b635b58e74c90b2e2828fdf63b15f7a99b

SHA256
71d2108c013ba714a174583318dd9fe86f7d3d7bb723c389121ad9f185e1d2aa

SHA512
7a55cfaa21608822c862602a1a11dce240ef61736961bf1c36f6439bf77ec274f539135d3b9c392cfa8a4ecc18ada850b2e3eeeab606333ebea0f9b0944f8503

Download Submit
\??\c:\programdata\aNkDL.pdf
MD5
83110be2837dfb77d4ab80893f36864b

SHA1
803c2df0df04a527dec31442ceed6d390bdc5b51

SHA256
e9dbded933df6b5b2f5ed51d19dad0789ebfb06dc9a470987a3f7b7dca168843

SHA512
f620c35d3614fb2430027b95ab9e4dec08dff32c773d6782236f40f9cd71418ffde341e8e2cbd210e2dfd7f11e4659645c981caba14b493ba97f5c89ccbb68c1

Download Submit
\ProgramData\aNkDL.pdf
MD5
83110be2837dfb77d4ab80893f36864b

SHA1
803c2df0df04a527dec31442ceed6d390bdc5b51

SHA256
e9dbded933df6b5b2f5ed51d19dad0789ebfb06dc9a470987a3f7b7dca168843

SHA512
f620c35d3614fb2430027b95ab9e4dec08dff32c773d6782236f40f9cd71418ffde341e8e2cbd210e2dfd7f11e4659645c981caba14b493ba97f5c89ccbb68c1

Download Submit
memory/1404-2-0x00007FFB52C70000-0x00007FFB532A7000-memory.dmp

Filesize
6.2MB

Download
memory/1404-5-0x0000020288E65000-0x0000020288E6A000-memory.dmp

Filesize
20KB

Download
memory/2068-6-0x0000000000000000-mapping.dmp

Download
memory/3032-8-0x0000000000000000-mapping.dmp

Download
memory/3384-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads