icedid | aa31b5173d6dea75cd81623d5cdd463db3cfb98c23c72fefe588a7d6ed41dae1

General

Target

figures-12.21.doc
Size

33KB
MD5

7fd923b0c4fb883cddce74ef1ab2233e
SHA1

0c4dcb95f799c8b6fe5c61ad8e5b5d02caab97ec
SHA256

aa31b5173d6dea75cd81623d5cdd463db3cfb98c23c72fefe588a7d6ed41dae1
SHA512

cb065f10a801f64e95f42783439b662758ced10455c0242ae3924a2e012db7d5ca5abe6e5172e46d6faf14a30f0db1c8dc7cd03a896a9dcd28fc4fdb40aac713

Score

10^/10

icedid 1892568649 banker suricata trojan

Malware Config

Extracted

Family

icedid

Campaign

1892568649

C2

normyils.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3608	2728	explorer.exe	WINWORD.EXE

suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

24 1724 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

3740 regsvr32.exe
3808 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
24	1724	mshta.exe

pid	process
3740	regsvr32.exe
3808	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2728 WINWORD.EXE
2728 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3808 regsvr32.exe
3808 regsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	explorer.exe

pid	process
3808	regsvr32.exe
3808	regsvr32.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

WINWORD.EXE

pid	process
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE
2728	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WINWORD.EXEexplorer.exemshta.exeregsvr32.exe

description	pid	process	target process
PID 2728 wrote to memory of 3608	2728	WINWORD.EXE	explorer.exe
PID 2728 wrote to memory of 3608	2728	WINWORD.EXE	explorer.exe
PID 4040 wrote to memory of 1724	4040	explorer.exe	mshta.exe
PID 4040 wrote to memory of 1724	4040	explorer.exe	mshta.exe
PID 4040 wrote to memory of 1724	4040	explorer.exe	mshta.exe
PID 1724 wrote to memory of 3740	1724	mshta.exe	regsvr32.exe
PID 1724 wrote to memory of 3740	1724	mshta.exe	regsvr32.exe
PID 1724 wrote to memory of 3740	1724	mshta.exe	regsvr32.exe
PID 3740 wrote to memory of 3808	3740	regsvr32.exe	regsvr32.exe
PID 3740 wrote to memory of 3808	3740	regsvr32.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\figures-12.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\explorer.exe
explorer loadLoadYou.hta
2⤵
- Process spawned unexpected child process
PID:3608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\loadLoadYou.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\nextNext.jpg
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\system32\regsvr32.exe
c:\users\public\nextNext.jpg
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\loadLoadYou.hta
MD5
6b7f741179d279a13e8ece951badb9e1

SHA1
1b6eba24dea7d29dc049e81c50f92a98a07b5741

SHA256
e7dbc0a4c535be854642fd39706ed01041ca9eee6a57383d7d856b90fe4a4349

SHA512
4d873959cfdef272df273633342d587ecd987c8c8f2d4680416d5ac7593890ffba8a3efc35f53ef493c6673fc06d1fc23698595b29fd55026de3b81a6c4ed5ae

Download Submit
\??\c:\users\public\nextNext.jpg
MD5
691c92ca51c47f3e33d04fc06a6a1553

SHA1
3b3e398e0971f514541cb1f67a0bc1f59e939d62

SHA256
dcb444844f882f8ffe8787e8afdc3bd0a3f43db60152679175522b4b0e900ec9

SHA512
bde6459f1b164b6c4c36ca0b173285a1db0ce1e8367d0681ac3c9ed8a972a8acdbd75dd7edb479b7ecdc8bddde8fb326fe4cf8dcfc7fa722704ffadd5870ea06

Download Submit
\Users\Public\nextNext.jpg
MD5
691c92ca51c47f3e33d04fc06a6a1553

SHA1
3b3e398e0971f514541cb1f67a0bc1f59e939d62

SHA256
dcb444844f882f8ffe8787e8afdc3bd0a3f43db60152679175522b4b0e900ec9

SHA512
bde6459f1b164b6c4c36ca0b173285a1db0ce1e8367d0681ac3c9ed8a972a8acdbd75dd7edb479b7ecdc8bddde8fb326fe4cf8dcfc7fa722704ffadd5870ea06

Download Submit
\Users\Public\nextNext.jpg
MD5
691c92ca51c47f3e33d04fc06a6a1553

SHA1
3b3e398e0971f514541cb1f67a0bc1f59e939d62

SHA256
dcb444844f882f8ffe8787e8afdc3bd0a3f43db60152679175522b4b0e900ec9

SHA512
bde6459f1b164b6c4c36ca0b173285a1db0ce1e8367d0681ac3c9ed8a972a8acdbd75dd7edb479b7ecdc8bddde8fb326fe4cf8dcfc7fa722704ffadd5870ea06

Download Submit
memory/1724-257-0x0000000000000000-mapping.dmp

Download
memory/2728-119-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/2728-120-0x000001D0E7E90000-0x000001D0E7E92000-memory.dmp

Filesize
8KB

Download
memory/2728-122-0x000001D0E7E90000-0x000001D0E7E92000-memory.dmp

Filesize
8KB

Download
memory/2728-121-0x000001D0E7E90000-0x000001D0E7E92000-memory.dmp

Filesize
8KB

Download
memory/2728-115-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/2728-118-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/2728-117-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/2728-116-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmp

Filesize
64KB

Download
memory/3608-254-0x0000000000000000-mapping.dmp

Download
memory/3740-288-0x0000000000000000-mapping.dmp

Download
memory/3808-291-0x0000000000000000-mapping.dmp

Download
memory/3808-293-0x0000000002B70000-0x0000000002BD3000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads