icedid | 0f5508f1852fb24e927410e7abfc94ba3b029944a4302e06b0f5317f4d9cc7f2

Analysis

max time kernel
110s
max time network
148s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

particulars_05.06.2021.doc
Size

75KB
MD5

f07a8a1226e19b16ca014d0ea924e0a2
SHA1

3337d7ce751cfa6d30fffc46ffcc00c462af8805
SHA256

0f5508f1852fb24e927410e7abfc94ba3b029944a4302e06b0f5317f4d9cc7f2
SHA512

ed5d2d32101c060c48141e0cc061eaee26a8e9857b4da9dbb7e0ca7d91baaa59917cf6336d5132cb26b6e71e2a0a0d3967d7c125a8302ca4ee29194c02512fd7

Score

10^/10

icedid 2941843931 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

2941843931

barcafokliresd.top

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2120	2184	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

29 2120 rundll32.exe
31 2120 rundll32.exe
41 2120 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2120 rundll32.exe

flow	pid	process
29	2120	rundll32.exe
31	2120	rundll32.exe
41	2120	rundll32.exe

pid	process
2120	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

708 WINWORD.EXE
708 WINWORD.EXE
2184 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2120 rundll32.exe
2120 rundll32.exe

pid	process
2120	rundll32.exe
2120	rundll32.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
2184	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE
708	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2184 wrote to memory of 2120	2184	WINWORD.EXE	rundll32.exe
PID 2184 wrote to memory of 2120	2184	WINWORD.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\particulars_05.06.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:708

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\programdata\copySwap.jpg,PluginInit
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
c818d1a2303069fccb29a84353a0e4b9

SHA1
29cf56b6ca40bc9333728ea3c92b4e2dd8f63087

SHA256
ba8bddb399ff54df8d1f560fe3e695d0b0ed072617cb5b485647730e2285e084

SHA512
162d75f4a6f07cacfbd457a7b2e01c24d9fe91bf7a77c11f9ec9326a62d6ddcb4c22e848d863311456d065898a7e007f8ed22f4c98f26255c77ee854a84f3252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
b91fd605823ba2f8e4579828907af408

SHA1
2dca2486528d3cfa18488c5d1512b5f13a2e46be

SHA256
ac0b129beba2a8a7c2c1211ef7de909a58640b6f7edb51faf392d04af2aae06c

SHA512
62bcb8bc696abadeeaf287291528976a220c56fdad44affca9c46850fc652273e3cba55a707d07b7778182292ce614b77b6670d32e29d2640118806232e9b4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
762be0afd2ece78d0d9437baacd2a674

SHA1
2117231cfcecc79ae71b4bc3d6ffc5cb24469dee

SHA256
f972c64a8526dec4c8b673a13475ec10163f4a3119e00d0c7e3f1f99083fa14d

SHA512
e75fc86c48d9f2a8e038d82d32b96052a5a732041490960017bf8f0a8adf038a8ef7a7e284d677996ff0463bf92486fe9d8bdf2a0aa8fe773c0da2610b9e9443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
762be0afd2ece78d0d9437baacd2a674

SHA1
2117231cfcecc79ae71b4bc3d6ffc5cb24469dee

SHA256
f972c64a8526dec4c8b673a13475ec10163f4a3119e00d0c7e3f1f99083fa14d

SHA512
e75fc86c48d9f2a8e038d82d32b96052a5a732041490960017bf8f0a8adf038a8ef7a7e284d677996ff0463bf92486fe9d8bdf2a0aa8fe773c0da2610b9e9443

Download Submit
\??\c:\programdata\copySwap.jpg
MD5
7ed4a53d6565cb84376b26b62debe40f

SHA1
14c780b519e9c27130c04a21fd55384b3bc6f525

SHA256
0e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d

SHA512
594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef

Download Submit
\ProgramData\copySwap.jpg
MD5
7ed4a53d6565cb84376b26b62debe40f

SHA1
14c780b519e9c27130c04a21fd55384b3bc6f525

SHA256
0e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d

SHA512
594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef

Download Submit
memory/708-114-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/708-179-0x000001D097020000-0x000001D097024000-memory.dmp

Filesize
16KB

Download
memory/708-123-0x00007FFF948B0000-0x00007FFF967A5000-memory.dmp

Filesize
31.0MB

Download
memory/708-122-0x000001D087B40000-0x000001D088C2E000-memory.dmp

Filesize
16.9MB

Download
memory/708-118-0x00007FFF9BA10000-0x00007FFF9E533000-memory.dmp

Filesize
43.1MB

Download
memory/708-119-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/708-117-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/708-116-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/708-115-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

Filesize
64KB

Download
memory/2120-184-0x000001AB75C80000-0x000001AB75CCD000-memory.dmp

Filesize
308KB

Download
memory/2120-181-0x0000000000000000-mapping.dmp

Download