icedid | 3e670878dd1bec8ea456d334a47600c9e174a380afd89d86725fa8e81b9bc8f4

General

Target

certificate_12.20.doc
Size

75KB
MD5

09a3cabe56bddaccf3736c626524a267
SHA1

ecd402f6d90ce58878aa67cc889e1a2ffecafe3e
SHA256

3e670878dd1bec8ea456d334a47600c9e174a380afd89d86725fa8e81b9bc8f4
SHA512

2d651168d56371706ea4709f0f313c9fe262a1f3930fe21e3f40e241113057a623a8839f448fbd358eeb1b446b35ab869d905efb8bef83289236533edae330ed

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4028	3084	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 9 IoCs

Processes:

mshta.exerundll32.exe

flow	pid	process
24	4060	mshta.exe
29	2536	rundll32.exe
31	2536	rundll32.exe
37	2536	rundll32.exe
39	2536	rundll32.exe
41	2536	rundll32.exe
43	2536	rundll32.exe
45	2536	rundll32.exe
47	2536	rundll32.exe

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2536 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2536	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3084 WINWORD.EXE
3084 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2536 rundll32.exe
2536 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	rundll32.exe

pid	process
2536	rundll32.exe
2536	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE
3084	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 3084 wrote to memory of 4028	3084	WINWORD.EXE	rundll32.exe
PID 3084 wrote to memory of 4028	3084	WINWORD.EXE	rundll32.exe
PID 4028 wrote to memory of 4060	4028	rundll32.exe	mshta.exe
PID 4028 wrote to memory of 4060	4028	rundll32.exe	mshta.exe
PID 4028 wrote to memory of 4060	4028	rundll32.exe	mshta.exe
PID 4060 wrote to memory of 2536	4060	mshta.exe	rundll32.exe
PID 4060 wrote to memory of 2536	4060	mshta.exe	rundll32.exe
PID 4060 wrote to memory of 2536	4060	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\certificate_12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aK2TUb.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
8983ba41e1c99c3e4c9aff611761c3f0

SHA1
f239ccc0def9802ec8a03f75d124ad1447b274ee

SHA256
206f477c988d35c480f1c733a04b39ad981262973810407e4fbb879dc4cb2d1f

SHA512
31529a53db27aea18155330f8a26ec5090f1ac8cc9996c9374d4c9c749a02fe70b9fb070b1649c58f1e127fe7d5d2884ffabccfcc97b2bd0616fac3f88b1e460

Download Submit
\??\c:\programdata\aK2TUb.pdf
MD5
0cac3df1337995a6720fc4d54b8fd2af

SHA1
772fc79ec590ffd440cc7e4f4bcd311a4af094d0

SHA256
f79487c85c39f55bc0d7d94bf2834731af8b2ef16dfb48ab99b8b6280368dec4

SHA512
a1612e898778410bef6ddd0fd00cd2e5190ea4d167ae2c187734782f60ee33a33a984477fdf39379d2b66a9788f49dbd777468fbc43de50350bc7eb0fab8a7bd

Download Submit
\ProgramData\aK2TUb.pdf
MD5
0cac3df1337995a6720fc4d54b8fd2af

SHA1
772fc79ec590ffd440cc7e4f4bcd311a4af094d0

SHA256
f79487c85c39f55bc0d7d94bf2834731af8b2ef16dfb48ab99b8b6280368dec4

SHA512
a1612e898778410bef6ddd0fd00cd2e5190ea4d167ae2c187734782f60ee33a33a984477fdf39379d2b66a9788f49dbd777468fbc43de50350bc7eb0fab8a7bd

Download Submit
memory/2536-9-0x0000000000000000-mapping.dmp

Download
memory/3084-2-0x0000018D4EB90000-0x0000018D4F1C7000-memory.dmp

Filesize
6.2MB

Download
memory/4028-6-0x0000000000000000-mapping.dmp

Download
memory/4060-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads