icedid | 55d904b83f04acb4118df9b2bd3ebbd44b9553b0aabcfff7b68d674ddb6052cc

General

Target

charge-12.20.doc
Size

90KB
MD5

76197f6d42cd64acde1972d4a52ae82d
SHA1

71654b1ae3657a9f18b97fd7a26cfda4e67b0988
SHA256

55d904b83f04acb4118df9b2bd3ebbd44b9553b0aabcfff7b68d674ddb6052cc
SHA512

c7f2c95d6f02885403c88f549f14ee8fd8efde905f8b42362857b0c8c9f83e7b4bbe09f7933184f931049aba25d1112bac6fd488f95eebc94b75badc09cf3b8c

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1908	3132	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

25 3276 mshta.exe
32 1656 rundll32.exe
38 1656 rundll32.exe
42 1656 rundll32.exe
44 1656 rundll32.exe
46 1656 rundll32.exe
48 1656 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1656 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
25	3276	mshta.exe
32	1656	rundll32.exe
38	1656	rundll32.exe
42	1656	rundll32.exe
44	1656	rundll32.exe
46	1656	rundll32.exe
48	1656	rundll32.exe

pid	process
1656	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3132 WINWORD.EXE
3132 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1656 rundll32.exe
1656 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	rundll32.exe

pid	process
1656	rundll32.exe
1656	rundll32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE
3132	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 3132 wrote to memory of 1908	3132	WINWORD.EXE	rundll32.exe
PID 3132 wrote to memory of 1908	3132	WINWORD.EXE	rundll32.exe
PID 1908 wrote to memory of 3276	1908	rundll32.exe	mshta.exe
PID 1908 wrote to memory of 3276	1908	rundll32.exe	mshta.exe
PID 1908 wrote to memory of 3276	1908	rundll32.exe	mshta.exe
PID 3276 wrote to memory of 1656	3276	mshta.exe	rundll32.exe
PID 3276 wrote to memory of 1656	3276	mshta.exe	rundll32.exe
PID 3276 wrote to memory of 1656	3276	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\charge-12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\a1ZcUb.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
638f28c4846813aa8a3f3ba8166190d8

SHA1
59267056de664af22622b0eda64337a18f8d6271

SHA256
6dde31588640f1ed817f3fbc3322c18b7d66719d1fcbc5e11a332da006512b66

SHA512
a5f357c962ad9f03bd42c7b12fee71c8b51422fdc930cafffabc4fd18e4ec8021021499a1792f655530ddc437a49af5e4721c055c87f221504732a2ff7b7ad95

Download Submit
\??\c:\programdata\a1ZcUb.pdf
MD5
a1856975dc9d24664781f46c24e92e44

SHA1
8048f5f1367280bda428ef410f467a69343a486f

SHA256
79f7e431b8d3aefdde3155ca9a5c0e91178b5944f61ab78ddb4dedaf85cd8c1a

SHA512
45961465ebd175b25dcbbe6a4a82344ffe4221ab81bf0858769a10b809d791e5ea6bd50e4d5f31e991547dba24c798c7674387a4cf9c50478205740a28f9b513

Download Submit
\ProgramData\a1ZcUb.pdf
MD5
a1856975dc9d24664781f46c24e92e44

SHA1
8048f5f1367280bda428ef410f467a69343a486f

SHA256
79f7e431b8d3aefdde3155ca9a5c0e91178b5944f61ab78ddb4dedaf85cd8c1a

SHA512
45961465ebd175b25dcbbe6a4a82344ffe4221ab81bf0858769a10b809d791e5ea6bd50e4d5f31e991547dba24c798c7674387a4cf9c50478205740a28f9b513

Download Submit
memory/1656-9-0x0000000000000000-mapping.dmp

Download
memory/1908-6-0x0000000000000000-mapping.dmp

Download
memory/3132-2-0x0000015663E50000-0x0000015664487000-memory.dmp

Filesize
6.2MB

Download
memory/3276-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads