icedid | 79d039cacf9d5c4011b56709c53de1a8be20010484a69d118ac91fcce6f2c253

General

Target

commerce ,12.09.2020.doc
Size

76KB
MD5

e4ed13e9bb520ca239f22b0975635375
SHA1

aecceac8f470893170663aff507e9a93581442f8
SHA256

79d039cacf9d5c4011b56709c53de1a8be20010484a69d118ac91fcce6f2c253
SHA512

b5320be82f5d2ad1e0192ec6cf6f8821162fb997fab329f373d73df51fe35a5ec648eb3495434658f723fb72e6ac20d6ca28c6bd5700aad9afca0956e49fd881

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2412	4020	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

13 188 mshta.exe
29 3636 rundll32.exe
31 3636 rundll32.exe
37 3636 rundll32.exe
39 3636 rundll32.exe
41 3636 rundll32.exe
42 3636 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3636 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
13	188	mshta.exe
29	3636	rundll32.exe
31	3636	rundll32.exe
37	3636	rundll32.exe
39	3636	rundll32.exe
41	3636	rundll32.exe
42	3636	rundll32.exe

pid	process
3636	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4020 WINWORD.EXE
4020 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3636 rundll32.exe
3636 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	rundll32.exe

pid	process
3636	rundll32.exe
3636	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE
4020	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 4020 wrote to memory of 2412	4020	WINWORD.EXE	rundll32.exe
PID 4020 wrote to memory of 2412	4020	WINWORD.EXE	rundll32.exe
PID 2412 wrote to memory of 188	2412	rundll32.exe	mshta.exe
PID 2412 wrote to memory of 188	2412	rundll32.exe	mshta.exe
PID 2412 wrote to memory of 188	2412	rundll32.exe	mshta.exe
PID 188 wrote to memory of 3636	188	mshta.exe	rundll32.exe
PID 188 wrote to memory of 3636	188	mshta.exe	rundll32.exe
PID 188 wrote to memory of 3636	188	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\commerce ,12.09.2020.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aFAXy.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
ba3dd20a06e9e33867dc14e3268671a9

SHA1
8cf703ef9ae1ebb3b8f2dc7de2326d984fdb318b

SHA256
1f3ceab93354f2360bda3b43d4b97e174160ca50cd3704a1a46869e35e30f362

SHA512
552c860b55573d57debe4fc3f07bc8063860c31da55a31daba3779a43c8e6a4137f8978458c0ceee0e979cb9b62a9e4dd85f5e30a7412715e1bf60e238f18473

Download Submit
\??\c:\programdata\aFAXy.pdf
MD5
c6ed8da09da9d1f3f9fa5fc3f22915ed

SHA1
3932eb15fcffbac34b27be57ffa4803253bc9b6c

SHA256
848b872b7ab9bef9fb0c73f5ee6cceb02a329efbbc38467b878aab8cef2ae65b

SHA512
1aef5a1f9f4d5c3df6b94ac848459ff9fc7230664a0bd274bd1947d926bbb49a4ef9dafbee10b478ca25e67232aab12877d0a639c5e34de7a6af27f2d7850fba

Download Submit
\ProgramData\aFAXy.pdf
MD5
c6ed8da09da9d1f3f9fa5fc3f22915ed

SHA1
3932eb15fcffbac34b27be57ffa4803253bc9b6c

SHA256
848b872b7ab9bef9fb0c73f5ee6cceb02a329efbbc38467b878aab8cef2ae65b

SHA512
1aef5a1f9f4d5c3df6b94ac848459ff9fc7230664a0bd274bd1947d926bbb49a4ef9dafbee10b478ca25e67232aab12877d0a639c5e34de7a6af27f2d7850fba

Download Submit
memory/188-7-0x0000000000000000-mapping.dmp

Download
memory/2412-5-0x0000000000000000-mapping.dmp

Download
memory/3636-8-0x0000000000000000-mapping.dmp

Download
memory/4020-2-0x00007FFE00290000-0x00007FFE008C7000-memory.dmp

Filesize
6.2MB

Download
memory/4020-3-0x000001FC96D27000-0x000001FC96D2C000-memory.dmp

Filesize
20KB

Download
memory/4020-4-0x000001FC96D27000-0x000001FC96D2C000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads