icedid | f22d8e42dffd3328fd01c0eb8ad2a8872d8cb104f0be67f1bcf37e3b1b29c382

General

Target

files 12.17.2020.doc
Size

59KB
MD5

2a631559ef534a0d256692408ab51bcf
SHA1

3d3e0e6d1daa2fa91ac2c4b7cb3c98cbfd4913f7
SHA256

f22d8e42dffd3328fd01c0eb8ad2a8872d8cb104f0be67f1bcf37e3b1b29c382
SHA512

3546fa4229e55d0201d744f751bd9c53b18a5c51f45704e7a5056857493098d5c3b95f4e4236442289c4b240fed61ae76318aa91f1b0b8739512cb921a8f39c9

Score

10^/10

icedid banker trojan

Malware Config

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2748	2604	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

28 588 rundll32.exe
34 588 rundll32.exe
36 588 rundll32.exe
38 588 rundll32.exe
40 588 rundll32.exe
42 588 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

588 rundll32.exe

flow	pid	process
28	588	rundll32.exe
34	588	rundll32.exe
36	588	rundll32.exe
38	588	rundll32.exe
40	588	rundll32.exe
42	588	rundll32.exe

pid	process
588	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2604 WINWORD.EXE
2604 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

588 rundll32.exe
588 rundll32.exe

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
588	rundll32.exe
588	rundll32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WINWORD.EXErundll32.exe

description	pid	process	target process
PID 2604 wrote to memory of 2748	2604	WINWORD.EXE	rundll32.exe
PID 2604 wrote to memory of 2748	2604	WINWORD.EXE	rundll32.exe
PID 2748 wrote to memory of 588	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 588	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 588	2748	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\files 12.17.2020.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SYSTEM32\rundll32.exe
rundll32 c:\programdata\MOxIZ.pdf,ShowDialogA -r
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\programdata\MOxIZ.pdf,ShowDialogA -r
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\MOxIZ.pdf
MD5
c0ad5ddda0245780ba0d36babdedb526

SHA1
d3c8e9f0733bd9bf8ecc608179e9e99d6dc7c0cf

SHA256
446d4e7ac760e88162f625a1644ec5ce561ab24fa473f2f232bd7bf73502b63c

SHA512
93a4d1951e16d8584f9b42ed68de945fca23491798fc359b367c78075aae734d028e536558de5c2b26424da6216cad9162ed82e8ec5f23a4af136666d22f53d5

Download Submit
\ProgramData\MOxIZ.pdf
MD5
c0ad5ddda0245780ba0d36babdedb526

SHA1
d3c8e9f0733bd9bf8ecc608179e9e99d6dc7c0cf

SHA256
446d4e7ac760e88162f625a1644ec5ce561ab24fa473f2f232bd7bf73502b63c

SHA512
93a4d1951e16d8584f9b42ed68de945fca23491798fc359b367c78075aae734d028e536558de5c2b26424da6216cad9162ed82e8ec5f23a4af136666d22f53d5

Download Submit
memory/588-10-0x0000000000000000-mapping.dmp

Download
memory/2604-2-0x000001BEAF1A0000-0x000001BEAF7D7000-memory.dmp

Filesize
6.2MB

Download
memory/2604-12-0x00007FF894DD0000-0x00007FF8978F3000-memory.dmp

Filesize
43.1MB

Download
memory/2604-13-0x00007FF894DD0000-0x00007FF8978F3000-memory.dmp

Filesize
43.1MB

Download
memory/2748-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads