icedid | 0f5508f1852fb24e927410e7abfc94ba3b029944a4302e06b0f5317f4d9cc7f2

General

Target

particulars_05.06.2021.doc
Size

75KB
MD5

f07a8a1226e19b16ca014d0ea924e0a2
SHA1

3337d7ce751cfa6d30fffc46ffcc00c462af8805
SHA256

0f5508f1852fb24e927410e7abfc94ba3b029944a4302e06b0f5317f4d9cc7f2
SHA512

ed5d2d32101c060c48141e0cc061eaee26a8e9857b4da9dbb7e0ca7d91baaa59917cf6336d5132cb26b6e71e2a0a0d3967d7c125a8302ca4ee29194c02512fd7

Score

10^/10

icedid 2941843931 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

2941843931

C2

barcafokliresd.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1088	1568	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

8 1680 rundll32.exe
10 1680 rundll32.exe
12 1680 rundll32.exe
14 1680 rundll32.exe
15 1680 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1088 rundll32.exe
1680 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
8	1680	rundll32.exe
10	1680	rundll32.exe
12	1680	rundll32.exe
14	1680	rundll32.exe
15	1680	rundll32.exe

pid	process
1088	rundll32.exe
1680	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C967221-9870-4876-AA72-ACECE69DEE3B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C967221-9870-4876-AA72-ACECE69DEE3B}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C967221-9870-4876-AA72-ACECE69DEE3B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{2C967221-9870-4876-AA72-ACECE69DEE3B}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\TypeLib\{2C967221-9870-4876-AA72-ACECE69DEE3B}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1028 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1680 rundll32.exe
1680 rundll32.exe

pid	process
1680	rundll32.exe
1680	rundll32.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1568	WINWORD.EXE
1568	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WINWORD.EXErundll32.exeWINWORD.EXE

description	pid	process	target process
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1568 wrote to memory of 1088	1568	WINWORD.EXE	rundll32.exe
PID 1088 wrote to memory of 1680	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1680	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1680	1088	rundll32.exe	rundll32.exe
PID 1088 wrote to memory of 1680	1088	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1700	1028	WINWORD.EXE	splwow64.exe
PID 1028 wrote to memory of 1700	1028	WINWORD.EXE	splwow64.exe
PID 1028 wrote to memory of 1700	1028	WINWORD.EXE	splwow64.exe
PID 1028 wrote to memory of 1700	1028	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\particulars_05.06.2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1700

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\programdata\copySwap.jpg,PluginInit
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\rundll32.exe
rundll32 c:\programdata\copySwap.jpg,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
MD5
374f81bfdb707a4344ea2ce8e62355d7

SHA1
5d776181825d939f501b3db001b2ff675a9cc109

SHA256
705e24ec990f47758a91d3cb2a8b138d9ee2e55ebebbde250bd9a483e269717c

SHA512
192d41a85745f08a94de0c53a3fde692ad00c203ce7b74e75295fc1fa25e4537d5cff3f0aa340eb3472ea3ef93f9174632a1c81cd8ac4a11066933c9e6937a5f

Download Submit
\??\c:\programdata\copySwap.jpg
MD5
7ed4a53d6565cb84376b26b62debe40f

SHA1
14c780b519e9c27130c04a21fd55384b3bc6f525

SHA256
0e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d

SHA512
594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef

Download Submit
\ProgramData\copySwap.jpg
MD5
7ed4a53d6565cb84376b26b62debe40f

SHA1
14c780b519e9c27130c04a21fd55384b3bc6f525

SHA256
0e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d

SHA512
594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef

Download Submit
\ProgramData\copySwap.jpg
MD5
7ed4a53d6565cb84376b26b62debe40f

SHA1
14c780b519e9c27130c04a21fd55384b3bc6f525

SHA256
0e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d

SHA512
594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef

Download Submit
memory/1028-61-0x0000000070141000-0x0000000070143000-memory.dmp

Filesize
8KB

Download
memory/1028-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1028-63-0x0000000005E90000-0x0000000006ADA000-memory.dmp

Filesize
12.3MB

Download
memory/1028-60-0x00000000726C1000-0x00000000726C4000-memory.dmp

Filesize
12KB

Download
memory/1088-69-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1088-68-0x0000000000000000-mapping.dmp

Download
memory/1568-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1680-72-0x0000000000000000-mapping.dmp

Download
memory/1680-74-0x0000000001AD0000-0x0000000001B1D000-memory.dmp

Filesize
308KB

Download
memory/1700-76-0x0000000000000000-mapping.dmp

Download
memory/1700-77-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads