icedid | 64de1f3425d0aa59ad9c6b59a2e7f0510248458c6bbf7755d7770030438a31cc

General

Target

instrument indenture_12.20.doc
Size

74KB
MD5

9afbe47292bfd00a63dab5ab0e566a36
SHA1

1e34087c2729ebe48d5022dc4eec1cf5eb07e8aa
SHA256

64de1f3425d0aa59ad9c6b59a2e7f0510248458c6bbf7755d7770030438a31cc
SHA512

614489eb44b42f119e7205042cb7619cedf3d87395bb7f30bf1d30ca9b1a30252508c2d09a0f0c17e870b8378e7bddb4fc37563e16d1b6f8657ba601ebdc7330

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3824	4640	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 8 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

14 4184 mshta.exe
27 580 rundll32.exe
29 580 rundll32.exe
31 580 rundll32.exe
33 580 rundll32.exe
35 580 rundll32.exe
37 580 rundll32.exe
38 580 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

580 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
14	4184	mshta.exe
27	580	rundll32.exe
29	580	rundll32.exe
31	580	rundll32.exe
33	580	rundll32.exe
35	580	rundll32.exe
37	580	rundll32.exe
38	580	rundll32.exe

pid	process
580	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4640 WINWORD.EXE
4640 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

580 rundll32.exe
580 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	rundll32.exe

pid	process
580	rundll32.exe
580	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE
4640	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 4640 wrote to memory of 3824	4640	WINWORD.EXE	rundll32.exe
PID 4640 wrote to memory of 3824	4640	WINWORD.EXE	rundll32.exe
PID 3824 wrote to memory of 4184	3824	rundll32.exe	mshta.exe
PID 3824 wrote to memory of 4184	3824	rundll32.exe	mshta.exe
PID 3824 wrote to memory of 4184	3824	rundll32.exe	mshta.exe
PID 4184 wrote to memory of 580	4184	mshta.exe	rundll32.exe
PID 4184 wrote to memory of 580	4184	mshta.exe	rundll32.exe
PID 4184 wrote to memory of 580	4184	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instrument indenture_12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aSF9P.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta

MD5
16d4ed03d9bb2ed8edd29daeb0f25e9f

SHA1
87104e1373d4dc62c22bac22d8c4b29f19be7280

SHA256
5a84c9213268178c70df6dfdcc2b71e3b1316f891e8b62d4d0528150b999b3fc

SHA512
4aa01548dc81c6bf98040c43deb786df41282337c7ec6f3b5b0d9812654e615801bef6f05f7c4e892be4f6e29ea41447e0158bcf721b6c41ba98ca29f49d6894

Download Submit
\??\c:\programdata\aSF9P.pdf

MD5
55a67d831641e2794749f79bb5dc6cc0

SHA1
f08e04421956eeb859c81472e5a99ef1a4cf58d8

SHA256
34c51f11835d890863fd0af27888bda91467f57607540e6cd70e547c27bde683

SHA512
80d955796c1ed3eeb97dd017f941054b835fc6bca47a131f40e599a9675f1a1d84886fcb032fec087c47dbf976cdacdb09f2f0f3a117851f2d5ec9462fcb1d6b

Download Submit
\ProgramData\aSF9P.pdf

MD5
55a67d831641e2794749f79bb5dc6cc0

SHA1
f08e04421956eeb859c81472e5a99ef1a4cf58d8

SHA256
34c51f11835d890863fd0af27888bda91467f57607540e6cd70e547c27bde683

SHA512
80d955796c1ed3eeb97dd017f941054b835fc6bca47a131f40e599a9675f1a1d84886fcb032fec087c47dbf976cdacdb09f2f0f3a117851f2d5ec9462fcb1d6b

Download Submit
memory/580-9-0x0000000000000000-mapping.dmp

Download
memory/3824-6-0x0000000000000000-mapping.dmp

Download
memory/4184-8-0x0000000000000000-mapping.dmp

Download
memory/4640-2-0x00007FF9C9100000-0x00007FF9C9737000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads