icedid | 1deea8182d2de797c52dd703c864f3b6f44a3a8cb0e8af389062884c928c5f29

Analysis

max time kernel
101s
max time network
140s
platform
windows10_x64
resource
win10v20210410
submitted
12-05-2021 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

report,05.12.21.doc
Size

46KB
MD5

5e6f7611a06e85b75cfee330aa78f24d
SHA1

a5185fda51374567ae666cea5ef582befd789572
SHA256

1deea8182d2de797c52dd703c864f3b6f44a3a8cb0e8af389062884c928c5f29
SHA512

fee01b8a7e674c9d1369f5803cd05985961a07277e5ada40692836ad567ce714788dca1dfca598c348c6d73688e18e488d6b5c6b4fb63cb21bd1fdcb8408f26d

Score

10^/10

icedid 2857955836 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

2857955836

tyretclaster.club

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3672	2088	rundll32.exe	WINWORD.EXE

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

25 3672 rundll32.exe
28 3672 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3672 rundll32.exe

flow	pid	process
25	3672	rundll32.exe
28	3672	rundll32.exe

pid	process
3672	rundll32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

2204 WINWORD.EXE
2204 WINWORD.EXE
2088 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3672 rundll32.exe
3672 rundll32.exe

pid	process
3672	rundll32.exe
3672	rundll32.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2088	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE
2204	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2088 wrote to memory of 3672	2088	WINWORD.EXE	rundll32.exe
PID 2088 wrote to memory of 3672	2088	WINWORD.EXE	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\report,05.12.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\programdata\structPasteTable.jpg,PluginInit
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
a0f3b3d0ffb2e8c7d6a227f209a04dd7

SHA1
1f27536c650d4cd5675a55e0503acc590879dbc4

SHA256
710e185e0af1c4e63eacd521f7a32bba91f13a031fa2d1ee4a3adf77a8300a2a

SHA512
fde0f0a08e7eeb8058c845614cd22f89ea922dc9968dd7590c4a92e27260c62e542dc7a2d8373025ff2ce9a589b2c8d287fb6f67089dd0e72aa73f759f334209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
3672ab0a3488fefe5c4a0c1cb57fa1d6

SHA1
d0bee08d5ba9d8eb1d5f1aeb651f82240a5aca43

SHA256
b155d1e8e3869bb4de4827397ef833315e60f45d6500e6b711ddce163b162505

SHA512
46d78482ecd3fb07982ca63a30661c2bebc5b44a2a6d6766dfa4fba5847c3d357459bf03588c3825804752786e677897fc01701258987b4b02f7510f5bca47ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
845c54aa54bd3ea864d2505c63186d41

SHA1
58bd289a85e08a61680060d8c90a9188075efc42

SHA256
3bb154c70660808e9424f31bbab1a154e8b93c72866f7ad6a40afe3f622869f7

SHA512
8b9a57e74390e245f637d2f1254b7c4fd942898dcd3f9ddd16789508450665a4248672cb1ee6b44db5306026c01d2803871f6075ca145cc667140cffc9940e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
MD5
845c54aa54bd3ea864d2505c63186d41

SHA1
58bd289a85e08a61680060d8c90a9188075efc42

SHA256
3bb154c70660808e9424f31bbab1a154e8b93c72866f7ad6a40afe3f622869f7

SHA512
8b9a57e74390e245f637d2f1254b7c4fd942898dcd3f9ddd16789508450665a4248672cb1ee6b44db5306026c01d2803871f6075ca145cc667140cffc9940e12

Download Submit
\??\c:\programdata\structPasteTable.jpg
MD5
1b4a806757ea9fef11c4a3ba41df877d

SHA1
26a700162f90ede23507822668a309650dac52b4

SHA256
ad5e1f93e774b7d87fe7b81ed925ee3f12b4ad54d605f756f5be58199d35648b

SHA512
ab969363022e169af8dc3c0b29eaafec516f6d133e846a9f6bf7699bcdfb60a7f88f6c672826ebe1f90ca2070a1ef40ad8ef055fb296be7c28894e560f502cb6

Download Submit
\ProgramData\structPasteTable.jpg
MD5
1b4a806757ea9fef11c4a3ba41df877d

SHA1
26a700162f90ede23507822668a309650dac52b4

SHA256
ad5e1f93e774b7d87fe7b81ed925ee3f12b4ad54d605f756f5be58199d35648b

SHA512
ab969363022e169af8dc3c0b29eaafec516f6d133e846a9f6bf7699bcdfb60a7f88f6c672826ebe1f90ca2070a1ef40ad8ef055fb296be7c28894e560f502cb6

Download Submit
memory/2204-114-0x00007FF800890000-0x00007FF8008A0000-memory.dmp

Filesize
64KB

Download
memory/2204-179-0x000001DAAE720000-0x000001DAAE724000-memory.dmp

Filesize
16KB

Download
memory/2204-123-0x00007FF81A3B0000-0x00007FF81C2A5000-memory.dmp

Filesize
31.0MB

Download
memory/2204-122-0x00007FF81C2B0000-0x00007FF81D39E000-memory.dmp

Filesize
16.9MB

Download
memory/2204-118-0x00007FF821CE0000-0x00007FF824803000-memory.dmp

Filesize
43.1MB

Download
memory/2204-119-0x00007FF800890000-0x00007FF8008A0000-memory.dmp

Filesize
64KB

Download
memory/2204-117-0x00007FF800890000-0x00007FF8008A0000-memory.dmp

Filesize
64KB

Download
memory/2204-116-0x00007FF800890000-0x00007FF8008A0000-memory.dmp

Filesize
64KB

Download
memory/2204-115-0x00007FF800890000-0x00007FF8008A0000-memory.dmp

Filesize
64KB

Download
memory/3672-181-0x0000000000000000-mapping.dmp

Download
memory/3672-185-0x000002E0042C0000-0x000002E00431B000-memory.dmp

Filesize
364KB

Download