icedid | 80f5168c56293392745ef57fc6168cc588a1904a92b173edb3cf920e0d7e727c

Analysis

max time kernel
103s
max time network
137s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

direct 05.04.2021.doc
Size

75KB
MD5

a6851b431abd770ea66948e60b0b5e0d
SHA1

2b7f322a28f19a4d3e26b3ab1738f163a9185575
SHA256

80f5168c56293392745ef57fc6168cc588a1904a92b173edb3cf920e0d7e727c
SHA512

7180e3537a8dce36efd771afa3f1c10a982ab52644fbbd2647afd8ec1e8226f30fad0f8e7766ba041b8476d3ae4e79d340df59d196239918a4b29bbdabdc991f

Score

10^/10

icedid 3042509645 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

3042509645

barcafokliresd.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3192	1080	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

24 3192 rundll32.exe
26 3192 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3192 rundll32.exe

flow	pid	process
24	3192	rundll32.exe
26	3192	rundll32.exe

pid	process
3192	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3724 WINWORD.EXE
3724 WINWORD.EXE
1080 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3192 rundll32.exe
3192 rundll32.exe

pid	process
3192	rundll32.exe
3192	rundll32.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1080 wrote to memory of 3192	1080	WINWORD.EXE	rundll32.exe
PID 1080 wrote to memory of 3192	1080	WINWORD.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct 05.04.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\programdata\clearIndex.jpg,PluginInit
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
ba91a6f9d2d9fb3667180033d3bab028

SHA1
facbabf8f1ebc12cd4edb36499d3ad999426c1f7

SHA256
104d61c059ebff161fa8f3f637d04015697e3001928e0520e46359434dff8632

SHA512
ff3fa0b01b91ba7431c52924d2f8086d079f1c84ddb5c0cf1e2bc382f05ae59b6c3e58240e3312d737511133137e837b39a77def6e1084df1a94167ef3d79a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
bd6050aeaad5a08e5a74d427441fa3df

SHA1
0705bcab22c42cd6e9f2dbb08750015b236a03dd

SHA256
f03bd3b2f187a65fc804b65910f4734cad2926ad43bc946d19b4ffe2eb8143ff

SHA512
115fb73b8f9f839a86879c7d5c522d32198a835847ffea89f58f82a71d995b1c51efdef663881a9497ec5cf9c475af703a18cfba9b5c5ca9a2f31620d2ff1bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F548F2F5-1212-41CD-ACA3-A2B2C16BBEFF
MD5
8fcce6ff2276966d3e640c65df613234

SHA1
1188957685f9f8a417fea8b617b74a59481d6508

SHA256
36f5fcdd5af74e0285e31bcf186b3734f85f3950cd05ad618cdae1fc8c14b19d

SHA512
81c139f4d3167bee89a01aa244c00e755148849dbdf917a1db1a257107b0d3eb94f80e07d05ad3bbb9f138fa178f73167d3aa3036764931cb0a51828e350bafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
e127c4f0ccdc4bac568dbba932438d5c

SHA1
fd5abe5860155f8b77bfce1f59ac7eede61de76a

SHA256
b2f467838f5829c7a34cbf6c43857fd1e51c90933541a17f0c9910f18813632f

SHA512
5fe8119077ee9feb0394d4f1e6b0ed64a4cb0e44a44492cbb9271b7b8d74ea32a889dd0ce0459a7e006c8b773355f8ea513c8f115005766f1a7f0e40f23fd5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
0db17535801410f978767f4723650cb2

SHA1
d8883926a4dbf2ec1532e495cdcedf6e863dc838

SHA256
b76ed3c420617589bda8609b8fffadf9eec3187db2807b686cbaaf45bb80e072

SHA512
6348f4ef87fd883775a9e5c8b6a0ccea57b1ed8c28ef080d77c7ef6d6a53f93d2e30a1604b6c1b20146e8b39734536928a4070ef9da9f58a990c561460b129fd

Download Submit
\??\c:\programdata\clearIndex.jpg
MD5
340553110ac8c4c9d4f31a6b3cbf08be

SHA1
8c926ed9c94f2e63993870c4a293de053e56f9b8

SHA256
7a4f32936b4823b48c9589f45b909d08c1218e06d852970ffdc5239a8715ebe4

SHA512
1baec3f5d8bbf46d2ed151b2d91696496c7decee3948e0cafde907ca8ea32f3412490df3479b68a7ff1c371210439bd52655c5309274c434f3a41446b57a7776

Download Submit
\ProgramData\clearIndex.jpg
MD5
340553110ac8c4c9d4f31a6b3cbf08be

SHA1
8c926ed9c94f2e63993870c4a293de053e56f9b8

SHA256
7a4f32936b4823b48c9589f45b909d08c1218e06d852970ffdc5239a8715ebe4

SHA512
1baec3f5d8bbf46d2ed151b2d91696496c7decee3948e0cafde907ca8ea32f3412490df3479b68a7ff1c371210439bd52655c5309274c434f3a41446b57a7776

Download Submit
memory/3192-182-0x0000000000000000-mapping.dmp

Download
memory/3192-185-0x000001D261D60000-0x000001D261DA6000-memory.dmp

Filesize
280KB

Download
memory/3724-114-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/3724-180-0x000002657DAC0000-0x000002657DAC4000-memory.dmp

Filesize
16KB

Download
memory/3724-123-0x00007FFA3D900000-0x00007FFA3F7F5000-memory.dmp

Filesize
31.0MB

Download
memory/3724-122-0x00007FFA40BD0000-0x00007FFA41CBE000-memory.dmp

Filesize
16.9MB

Download
memory/3724-118-0x00007FFA46120000-0x00007FFA48C43000-memory.dmp

Filesize
43.1MB

Download
memory/3724-119-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/3724-117-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/3724-116-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download
memory/3724-115-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmp

Filesize
64KB

Download