icedid | 34ff76103583c35bebe706f721e1e692a7c34b226eb32fa96de9dcd4c8db7ddc

General

Target

official paper.12.20.doc
Size

77KB
MD5

1b1b78aed0518d2608786b0c0a5af9ef
SHA1

472a23c627100d627c8f98bde78a5bd28bcb2545
SHA256

34ff76103583c35bebe706f721e1e692a7c34b226eb32fa96de9dcd4c8db7ddc
SHA512

17b041223b618ba08f4f504bd43bff2bc4c6044eea86f5c17c5c1448e643ccccd56e2da8780ea91b21205dcd22aa4749a31216676b6943cf6903c3cb4dec4002

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1008	4092	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 7 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

13 752 mshta.exe
28 1872 rundll32.exe
30 1872 rundll32.exe
36 1872 rundll32.exe
38 1872 rundll32.exe
40 1872 rundll32.exe
41 1872 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1872 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
13	752	mshta.exe
28	1872	rundll32.exe
30	1872	rundll32.exe
36	1872	rundll32.exe
38	1872	rundll32.exe
40	1872	rundll32.exe
41	1872	rundll32.exe

pid	process
1872	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4092 WINWORD.EXE
4092 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1872 rundll32.exe
1872 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	rundll32.exe

pid	process
1872	rundll32.exe
1872	rundll32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE
4092	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXErundll32.exemshta.exe

description	pid	process	target process
PID 4092 wrote to memory of 1008	4092	WINWORD.EXE	rundll32.exe
PID 4092 wrote to memory of 1008	4092	WINWORD.EXE	rundll32.exe
PID 1008 wrote to memory of 752	1008	rundll32.exe	mshta.exe
PID 1008 wrote to memory of 752	1008	rundll32.exe	mshta.exe
PID 1008 wrote to memory of 752	1008	rundll32.exe	mshta.exe
PID 752 wrote to memory of 1872	752	mshta.exe	rundll32.exe
PID 752 wrote to memory of 1872	752	mshta.exe	rundll32.exe
PID 752 wrote to memory of 1872	752	mshta.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\official paper.12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta
2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\programdata\arm2sL.pdf,ShowDialogA -r
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\index.hta
MD5
cdb6cd41f190c13a1be598a9bf6c596f

SHA1
0ff0df401737d017d6c3c191e7e563626b3cedb4

SHA256
1b0f0e64d14ab36096bce932480f7e3e4357479641a75cf7c35bbbaa6590c4b4

SHA512
dd0ce2e64e8f5158dd3bcb04f0e935a4f7ec65541b1c79744a7354c247fa0c446c05988bc399933bcff72d658971238705c2e4001a964a663f2c1c88f4715b6d

Download Submit
\??\c:\programdata\arm2sL.pdf
MD5
f95dc82fd1ca58390a6139a3d24bc165

SHA1
d1cc0401e6f5be4de588f3ad8eff28b9d41d70c0

SHA256
4e8c0e221758786fff06cc9b560be681ba10facb05e47c1eb4492b19a0cc441a

SHA512
d8a1172f432652afa863cf8013a012c88598e3ca9d0971f8a6549c79f0449fc04db1d7a436ed95b6e8bd4ad5fc9e1d5c26dd417903ea5621c6b5a08a628b698f

Download Submit
\ProgramData\arm2sL.pdf
MD5
f95dc82fd1ca58390a6139a3d24bc165

SHA1
d1cc0401e6f5be4de588f3ad8eff28b9d41d70c0

SHA256
4e8c0e221758786fff06cc9b560be681ba10facb05e47c1eb4492b19a0cc441a

SHA512
d8a1172f432652afa863cf8013a012c88598e3ca9d0971f8a6549c79f0449fc04db1d7a436ed95b6e8bd4ad5fc9e1d5c26dd417903ea5621c6b5a08a628b698f

Download Submit
memory/752-7-0x0000000000000000-mapping.dmp

Download
memory/1008-5-0x0000000000000000-mapping.dmp

Download
memory/1872-8-0x0000000000000000-mapping.dmp

Download
memory/4092-2-0x00007FFFCB550000-0x00007FFFCBB87000-memory.dmp

Filesize
6.2MB

Download
memory/4092-3-0x0000023009670000-0x0000023009675000-memory.dmp

Filesize
20KB

Download
memory/4092-4-0x0000023009675000-0x000002300967A000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads