Overview

overview

10

Static

static

8

55899fecd5...d1.doc

windows7_x64

10

55899fecd5...d1.doc

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    01-12-2021 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55899fecd54be0645f470734aa8b7a280a82cdd1.doc

  • Size

    33KB

  • MD5

    864702abb4f17ba0e9fcd2601453e899

  • SHA1

    55899fecd54be0645f470734aa8b7a280a82cdd1

  • SHA256

    152fb47b5b828fd1a76f8d5956e91cecab10b21d16cad4a6864f427d373d031d

  • SHA512

    eff513399f913c3f0a3917ab4ea3ed4519c56ec2f858f13ee24296ba4bd99910a18751b3ace1c65abd45a12d5d1acf67495b16e2b105f1b96f750d5499ee3f5e

Score
10/10
icedid1892568649bankersuricatatrojan

Malware Config

Extracted

Family

icedid

Campaign

1892568649

C2

normyils.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata: ET MALWARE Win32/IcedID Request Cookie

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\55899fecd54be0645f470734aa8b7a280a82cdd1.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\SysWOW64\explorer.exe
      explorer youKarolDoor.hta
      2⤵
      • Process spawned unexpected child process
      PID:1340
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1460
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:420
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\youKarolDoor.hta"
        2⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\powPowLike.jpg
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Windows\system32\regsvr32.exe
            c:\users\public\powPowLike.jpg
            4⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            PID:1620

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\youKarolDoor.hta
      MD5

      c8800ceaf0f9a44a7f3f4247664bd24e

      SHA1

      a1ba6dab997900e6ea3a8f2516b66b44a381ad6e

      SHA256

      cf15e163cadf6a3fe42e0aa3dacf3f5e3eb59b8307a6c90198a567ff26ab9e76

      SHA512

      1643f5333b37b7ace4132db761f4d5dc4d8391a7c8150946bc9e095c7b4839872a3ac8aedf94eaaf353167e556e0cd86c6c5228eb326a2e8c7df70ab41f705cb

      Download Submit

    • \??\c:\users\public\powPowLike.jpg
      MD5

      cb703758f16f1ce9c2e560011d2570f7

      SHA1

      3c0df444aa8283e8c0c764f23329d10c013929ec

      SHA256

      06bc1d18c61aee2f6e33bde032cf3a94c1e5da000a146bef93892280e2b48c4a

      SHA512

      a26bdfcadf267ca55995017289bdc13269a7fb7e29791ac248b6585cf70e1ebfe27936d0af679f0ef490df77b8d10a1b46931a2f3c08a7633b0e2192ce46cb76

      Download Submit

    • \Users\Public\powPowLike.jpg
      MD5

      cb703758f16f1ce9c2e560011d2570f7

      SHA1

      3c0df444aa8283e8c0c764f23329d10c013929ec

      SHA256

      06bc1d18c61aee2f6e33bde032cf3a94c1e5da000a146bef93892280e2b48c4a

      SHA512

      a26bdfcadf267ca55995017289bdc13269a7fb7e29791ac248b6585cf70e1ebfe27936d0af679f0ef490df77b8d10a1b46931a2f3c08a7633b0e2192ce46cb76

      Download Submit

    • \Users\Public\powPowLike.jpg
      MD5

      cb703758f16f1ce9c2e560011d2570f7

      SHA1

      3c0df444aa8283e8c0c764f23329d10c013929ec

      SHA256

      06bc1d18c61aee2f6e33bde032cf3a94c1e5da000a146bef93892280e2b48c4a

      SHA512

      a26bdfcadf267ca55995017289bdc13269a7fb7e29791ac248b6585cf70e1ebfe27936d0af679f0ef490df77b8d10a1b46931a2f3c08a7633b0e2192ce46cb76

      Download Submit

    • memory/320-56-0x000000006FEA1000-0x000000006FEA3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/320-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/320-58-0x0000000074E51000-0x0000000074E53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/320-55-0x0000000072421000-0x0000000072424000-memory.dmp

      Filesize

      12KB

      Download

    • memory/320-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/420-62-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

      Filesize

      8KB

      Download

    • memory/944-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1340-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1340-61-0x000000006ACD1000-0x000000006ACD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1460-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1620-71-0x0000000000000000-mapping.dmp

      Download

    • memory/1620-74-0x00000000003B0000-0x0000000000413000-memory.dmp

      Filesize

      396KB

      Download

    • memory/1880-64-0x0000000000000000-mapping.dmp

      Download