icedid | 6bdadb3e04b16759d56dd630002422a9d6da85beb1909feee5a99d14d5bbfb2a

General

Target

direct-12.08.2020.doc
Size

111KB
MD5

046593bb9cc87ad15cf59af9c1993f55
SHA1

cfbd3b7b82c3ebe22506b2f1375aacf134676c53
SHA256

6bdadb3e04b16759d56dd630002422a9d6da85beb1909feee5a99d14d5bbfb2a
SHA512

cc6a7adb13f62630f4a7198b4c81a4563962c01dd8e54b68dd8fc61df22d55c32047b74d9ed8fcfeadccacfc02f88d56732ab1e23167ceb1f529a0e691028b1a

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3612	3564	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

31 3172 rundll32.exe
33 3172 rundll32.exe
35 3172 rundll32.exe
39 3172 rundll32.exe
40 3172 rundll32.exe
Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

WINWORD.EXE

pid process

3564 WINWORD.EXE
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3172 rundll32.exe

flow	pid	process
31	3172	rundll32.exe
33	3172	rundll32.exe
35	3172	rundll32.exe
39	3172	rundll32.exe
40	3172	rundll32.exe

pid	process
3172	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3564 WINWORD.EXE
3564 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3172 rundll32.exe
3172 rundll32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

WINWORD.EXE

pid process

3564 WINWORD.EXE

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3172	rundll32.exe
3172	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 3564 wrote to memory of 3612	3564	WINWORD.EXE	rundll32.exe
PID 3564 wrote to memory of 3612	3564	WINWORD.EXE	rundll32.exe
PID 3612 wrote to memory of 3172	3612	rundll32.exe	rundll32.exe
PID 3612 wrote to memory of 3172	3612	rundll32.exe	rundll32.exe
PID 3612 wrote to memory of 3172	3612	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct-12.08.2020.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SYSTEM32\rundll32.exe
rundll32 c:\programdata\uAKDh.pdf,ShowDialogA -r
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\programdata\uAKDh.pdf,ShowDialogA -r
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\uAKDh.pdf
MD5
1b08e7c4cbf1e0d0f0b1ef457cd20b85

SHA1
c8c912948318c9bbb24cb607ff99fa785a49e882

SHA256
9b2aa7ba6e7e536e863bc417ff7a8be7afdf6f71aa6d961d70fa487f5f1cf3b6

SHA512
569ffacdff57fef708e4c378e019d23c2f16f8a5c64baddee503387796d50afa110dda49ee4da7143b669d761ebe6edac6d372c1d0ce2af7618a3288caf566a0

Download Submit
\ProgramData\uAKDh.pdf
MD5
1b08e7c4cbf1e0d0f0b1ef457cd20b85

SHA1
c8c912948318c9bbb24cb607ff99fa785a49e882

SHA256
9b2aa7ba6e7e536e863bc417ff7a8be7afdf6f71aa6d961d70fa487f5f1cf3b6

SHA512
569ffacdff57fef708e4c378e019d23c2f16f8a5c64baddee503387796d50afa110dda49ee4da7143b669d761ebe6edac6d372c1d0ce2af7618a3288caf566a0

Download Submit
memory/3172-11-0x0000000000000000-mapping.dmp

Download
memory/3564-2-0x00007FFC9E0E0000-0x00007FFC9E717000-memory.dmp

Filesize
6.2MB

Download
memory/3564-7-0x000001583A2A3000-0x000001583A2B4000-memory.dmp

Filesize
68KB

Download
memory/3564-13-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmp

Filesize
43.1MB

Download
memory/3564-14-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmp

Filesize
43.1MB

Download
memory/3564-15-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmp

Filesize
43.1MB

Download
memory/3564-16-0x00007FFC9FAB0000-0x00007FFCA25D3000-memory.dmp

Filesize
43.1MB

Download
memory/3612-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads