Overview

overview

10

Static

static

8

document-05.21.doc

windows7_x64

10

document-05.21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    document-05.21.doc

  • Size

    79KB

  • Sample

    210510-s2wffgxhen

  • MD5

    a14195c0b5228bdd64f6364af8fce367

  • SHA1

    f27ec771c7b93a4fbef684e38acf9afcc37a1a61

  • SHA256

    f1b68ba10435e560511fad7b9fc1f9e3d194ee4f633dc7f7c5a7c94db86314e0

  • SHA512

    dd693b6573a7bcc01900b143d272613f4729f11fe13e5feb70f6e8bc2bfb826a9e3684b490b9cd20de625e164982a55dcb732b4cec8165073e13055f924e5057

Score
10/10
icedid1420117246bankermacrotrojan

Malware Config

Extracted

Family

icedid

Campaign

1420117246

C2

zasewartefiko.top

Targets

    • Target

      document-05.21.doc

    • Size

      79KB

    • MD5

      a14195c0b5228bdd64f6364af8fce367

    • SHA1

      f27ec771c7b93a4fbef684e38acf9afcc37a1a61

    • SHA256

      f1b68ba10435e560511fad7b9fc1f9e3d194ee4f633dc7f7c5a7c94db86314e0

    • SHA512

      dd693b6573a7bcc01900b143d272613f4729f11fe13e5feb70f6e8bc2bfb826a9e3684b490b9cd20de625e164982a55dcb732b4cec8165073e13055f924e5057

    Score
    10/10
    icedid1420117246bankertrojan

    • IcedID, BokBot

      IcedID is a banking trojan capable of stealing credentials.

      trojanbankericedid

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks