icedid | 799c92dbf9afd51ce4760192ef65c42432f006e0fbab34971019bfe53926b879

General

Target

c33304d6_by_Libranalysis.doc
Size

65KB
MD5

c33304d6de97b0263aa4277716ee9730
SHA1

52bd645c127469b4c18486deb270151352a19296
SHA256

799c92dbf9afd51ce4760192ef65c42432f006e0fbab34971019bfe53926b879
SHA512

5276eb3c5b5274f389b5c679cc7b466a9d35c7d50b8754dc75a8af9e0c88814e27aac125918885475692915fee47ee3264e57663afc710448a3633a47573016b

Score

10^/10

icedid 2857955836 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

2857955836

C2

tyretclaster.club

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

5 1752 mshta.exe
8 1520 rundll32.exe
10 1520 rundll32.exe
12 1520 rundll32.exe
14 1520 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1624 rundll32.exe
1520 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
5	1752	mshta.exe
8	1520	rundll32.exe
10	1520	rundll32.exe
12	1520	rundll32.exe
14	1520	rundll32.exe

pid	process
1624	rundll32.exe
1520	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exeWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

484 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1520 rundll32.exe
1520 rundll32.exe

pid	process
1520	rundll32.exe
1520	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE
484	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WINWORD.EXEmshta.exerundll32.exe

description	pid	process	target process
PID 484 wrote to memory of 1168	484	WINWORD.EXE	splwow64.exe
PID 484 wrote to memory of 1168	484	WINWORD.EXE	splwow64.exe
PID 484 wrote to memory of 1168	484	WINWORD.EXE	splwow64.exe
PID 484 wrote to memory of 1168	484	WINWORD.EXE	splwow64.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1752 wrote to memory of 1624	1752	mshta.exe	rundll32.exe
PID 1624 wrote to memory of 1520	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1520	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1520	1624	rundll32.exe	rundll32.exe
PID 1624 wrote to memory of 1520	1624	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c33304d6_by_Libranalysis.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1168

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\arrayVbLoad.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\public\arrayVbLoad.jpg,PluginInit
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\public\arrayVbLoad.jpg,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\arrayVbLoad.hta
MD5
2a9b0b8b7891d97ce0c0a137d9288ec0

SHA1
7a107f51d52b65137ac39798a2b47b08e46b5f4d

SHA256
fd34c7544efbf5b06f3d1e7abd93df952ba518a86aa91c9d4938d10242fdc6c0

SHA512
8e216c38283463769695d7ad53aa634df84a2210603b3aca535e701e563115b9da2ab5a89773cf5c0ed00a6f16acf92fe33d326e5127c2cd081c738204abc8a0

Download Submit
\??\c:\users\public\arrayVbLoad.jpg
MD5
62683c37e0c94aa7cb67d0b2f696cfcf

SHA1
d386153ab9adf9d00172d7473fdc6a8ed2e2beb9

SHA256
5f7d13e112a2bb85725c5c4b64eb4b0594cd0942ced89cde66bb1996e3e0fc58

SHA512
628495e124fb892260182ec404d76eb038a8824f1996ad86846591498d1508fc37b485bb4c801d0db1088b6224c77a3cab9697fefdae3ceff01f0c1ab885e557

Download Submit
\Users\Public\arrayVbLoad.jpg
MD5
62683c37e0c94aa7cb67d0b2f696cfcf

SHA1
d386153ab9adf9d00172d7473fdc6a8ed2e2beb9

SHA256
5f7d13e112a2bb85725c5c4b64eb4b0594cd0942ced89cde66bb1996e3e0fc58

SHA512
628495e124fb892260182ec404d76eb038a8824f1996ad86846591498d1508fc37b485bb4c801d0db1088b6224c77a3cab9697fefdae3ceff01f0c1ab885e557

Download Submit
\Users\Public\arrayVbLoad.jpg
MD5
62683c37e0c94aa7cb67d0b2f696cfcf

SHA1
d386153ab9adf9d00172d7473fdc6a8ed2e2beb9

SHA256
5f7d13e112a2bb85725c5c4b64eb4b0594cd0942ced89cde66bb1996e3e0fc58

SHA512
628495e124fb892260182ec404d76eb038a8824f1996ad86846591498d1508fc37b485bb4c801d0db1088b6224c77a3cab9697fefdae3ceff01f0c1ab885e557

Download Submit
memory/484-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/484-61-0x00000000702A1000-0x00000000702A3000-memory.dmp

Filesize
8KB

Download
memory/484-60-0x0000000072821000-0x0000000072824000-memory.dmp

Filesize
12KB

Download
memory/484-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/1168-65-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1520-70-0x0000000000000000-mapping.dmp

Download
memory/1520-72-0x0000000000140000-0x000000000019B000-memory.dmp

Filesize
364KB

Download
memory/1624-67-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1624-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads