icedid | e27ec64bfb5e248f294855366e6cfe5884874a77a9ec5429843c3da37bd0428e

General

Target

input-12.20.doc
Size

90KB
MD5

b62c202699132594e5d95bd22c9f3fb8
SHA1

f129c898c8c4b893c8e78bd79fc60b460d292e60
SHA256

e27ec64bfb5e248f294855366e6cfe5884874a77a9ec5429843c3da37bd0428e
SHA512

879eb7b6e73379e73ea72ba3e432c47cf9212c2082605079ebcc143cde2199bccf8f455de7e7decc5c18e4e2262111ead00de717b31e31df322c66d0d634863b

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2724	972	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

18 4092 mshta.exe
26 508 rundll32.exe
30 508 rundll32.exe
35 508 rundll32.exe
37 508 rundll32.exe
39 508 rundll32.exe
40 508 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

508 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
18	4092	mshta.exe
26	508	rundll32.exe
30	508	rundll32.exe
35	508	rundll32.exe
37	508	rundll32.exe
39	508	rundll32.exe
40	508	rundll32.exe

pid	process
508	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

972 WINWORD.EXE
972 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

508 rundll32.exe
508 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	rundll32.exe

pid	process
508	rundll32.exe
508	rundll32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE
972	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 972 wrote to memory of 2724	972	WINWORD.EXE	rundll32.exe
PID 972 wrote to memory of 2724	972	WINWORD.EXE	rundll32.exe
PID 2724 wrote to memory of 4092	2724	rundll32.exe	mshta.exe
PID 2724 wrote to memory of 4092	2724	rundll32.exe	mshta.exe
PID 2724 wrote to memory of 4092	2724	rundll32.exe	mshta.exe
PID 4092 wrote to memory of 508	4092	mshta.exe	rundll32.exe
PID 4092 wrote to memory of 508	4092	mshta.exe	rundll32.exe
PID 4092 wrote to memory of 508	4092	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\input-12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\aLtuD.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
2af302fc16fc949ec89af790606ffbda

SHA1
6ba7d07564848fb24fd9a28f213bb79c03b207ea

SHA256
3990b1ead98cd08208bfae8f0caccd8959d4d6035390fdf375d34a15411a8542

SHA512
faf7cb8e61aa6b59a7261c0eb7330a10f5d8cc1bb8335bb856e98b92613cb5e4e48616e40bc6739ce1cd1b8a902d9b8c4e68f72f94a8311f6de7d4ca8933d39e

Download Submit
\??\c:\programdata\aLtuD.pdf
MD5
08801114db495223f7f144cf1f8ed748

SHA1
f95297d001d8c37145fc0ab92d07ff82b6cd75cc

SHA256
fdddb399e08255aa8644f4025db867da7983c104065a2ce8bbd7089d8be943ec

SHA512
e6576cb8af704e1b850b04c17dcc91a632b9031eb005889b5f17253c22c80418571c6b2dd2244cdd2037278ea3638725882c4ec5ef507e3e8d9149965e849cfe

Download Submit
\ProgramData\aLtuD.pdf
MD5
08801114db495223f7f144cf1f8ed748

SHA1
f95297d001d8c37145fc0ab92d07ff82b6cd75cc

SHA256
fdddb399e08255aa8644f4025db867da7983c104065a2ce8bbd7089d8be943ec

SHA512
e6576cb8af704e1b850b04c17dcc91a632b9031eb005889b5f17253c22c80418571c6b2dd2244cdd2037278ea3638725882c4ec5ef507e3e8d9149965e849cfe

Download Submit
memory/508-9-0x0000000000000000-mapping.dmp

Download
memory/972-2-0x000001D860250000-0x000001D860887000-memory.dmp

Filesize
6.2MB

Download
memory/972-3-0x000001D868C6B000-0x000001D868C81000-memory.dmp

Filesize
88KB

Download
memory/2724-6-0x0000000000000000-mapping.dmp

Download
memory/4092-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads