icedid | 7215e503b77bdd7fd48b5f63cbce288bf0caa00ed5688bc9b810cb51ed3a765a

General

Target

inquiry.05.17.21.doc
Size

65KB
MD5

e0452e225acb088de11d6517db7479ac
SHA1

298ea7b0e1035975e024876665aa13f2a15ea8f7
SHA256

7215e503b77bdd7fd48b5f63cbce288bf0caa00ed5688bc9b810cb51ed3a765a
SHA512

376a1bb04cfc540f2e7ddc3c7a9d69dce0126dd94b6a13c073c556c82a9eb9857437bb3aa90e2964bf89e8036cca7a32d193bdc67f44218560825c6770ea85f8

Score

10^/10

icedid 632457322 Photoloader banker trojan

Malware Config

Extracted

Family

icedid

Campaign

632457322

C2

kickersflyers.bid

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

PhotoLoader Payload 1 IoCs

IcedID downloder-Photloader.

Photoloader

Processes:

resource	yara_rule
behavioral1/memory/788-71-0x0000000001C10000-0x0000000001C6B000-memory.dmp	crime_win32_icedid_stage1

Blocklisted process makes network request 5 IoCs

Processes:

mshta.exerundll32.exe

flow pid process

5 1888 mshta.exe
7 788 rundll32.exe
9 788 rundll32.exe
13 788 rundll32.exe
15 788 rundll32.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1952 rundll32.exe
788 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
5	1888	mshta.exe
7	788	rundll32.exe
9	788	rundll32.exe
13	788	rundll32.exe
15	788	rundll32.exe

pid	process
1952	rundll32.exe
788	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1100 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

788 rundll32.exe
788 rundll32.exe

pid	process
788	rundll32.exe
788	rundll32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE
1100	WINWORD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WINWORD.EXEmshta.exerundll32.exe

description	pid	process	target process
PID 1100 wrote to memory of 1408	1100	WINWORD.EXE	splwow64.exe
PID 1100 wrote to memory of 1408	1100	WINWORD.EXE	splwow64.exe
PID 1100 wrote to memory of 1408	1100	WINWORD.EXE	splwow64.exe
PID 1100 wrote to memory of 1408	1100	WINWORD.EXE	splwow64.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1888 wrote to memory of 1952	1888	mshta.exe	rundll32.exe
PID 1952 wrote to memory of 788	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 788	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 788	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 788	1952	rundll32.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\inquiry.05.17.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1408

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\vbProcedureLink.hta"
1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\public\vbProcedureLink.jpg,PluginInit
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" c:\users\public\vbProcedureLink.jpg,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbProcedureLink.hta
MD5
bea16a989551cdedf9c8ef40f6658a1b

SHA1
89adc9e9a64e175e19fa67ed5ea60235f259b702

SHA256
1ba01f2fd5abd26077787c276bdd317ba634efb1611a58ff36379e5db10f5ddb

SHA512
6fa296cda8cf2cdbb59cf7c7255cd957d968b80f74e409ac8f16ebc838dd61be0960bbd5b46a2f207d8527bfce2ce1d810cb4165bd5996dc5b4834f906a6a2b1

Download Submit
\??\c:\users\public\vbProcedureLink.jpg
MD5
3dac0528c71369e7846e8f7fe726d52c

SHA1
c4ee2831e0f117ba01efbf9c591e9d04db8fe917

SHA256
d2d441b694e311f919f3ffba7332c2851356a876a9dfe0ae09d7a88dfd644a89

SHA512
67248cb4ade36333972eb907e2c04998d010903dca8ad8afa8b1bc99ecde43c789609467bd5433c5bf6c0062b970cb4b12ca3ea25dcb31c65e5c7905a2780e3d

Download Submit
\Users\Public\vbProcedureLink.jpg
MD5
3dac0528c71369e7846e8f7fe726d52c

SHA1
c4ee2831e0f117ba01efbf9c591e9d04db8fe917

SHA256
d2d441b694e311f919f3ffba7332c2851356a876a9dfe0ae09d7a88dfd644a89

SHA512
67248cb4ade36333972eb907e2c04998d010903dca8ad8afa8b1bc99ecde43c789609467bd5433c5bf6c0062b970cb4b12ca3ea25dcb31c65e5c7905a2780e3d

Download Submit
\Users\Public\vbProcedureLink.jpg
MD5
3dac0528c71369e7846e8f7fe726d52c

SHA1
c4ee2831e0f117ba01efbf9c591e9d04db8fe917

SHA256
d2d441b694e311f919f3ffba7332c2851356a876a9dfe0ae09d7a88dfd644a89

SHA512
67248cb4ade36333972eb907e2c04998d010903dca8ad8afa8b1bc99ecde43c789609467bd5433c5bf6c0062b970cb4b12ca3ea25dcb31c65e5c7905a2780e3d

Download Submit
memory/788-69-0x0000000000000000-mapping.dmp

Download
memory/788-71-0x0000000001C10000-0x0000000001C6B000-memory.dmp

Filesize
364KB

Download
memory/1100-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1100-59-0x00000000726F1000-0x00000000726F4000-memory.dmp

Filesize
12KB

Download
memory/1100-60-0x0000000070171000-0x0000000070173000-memory.dmp

Filesize
8KB

Download
memory/1408-63-0x0000000000000000-mapping.dmp

Download
memory/1408-64-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1952-65-0x0000000000000000-mapping.dmp

Download
memory/1952-66-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads