Overview

overview

10

Static

static

8

SW-1186978918.xlsb

windows7_x64

10

SW-1186978918.xlsb

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-02-2022 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SW-1186978918.xlsb

  • Size

    155KB

  • MD5

    0d17b19ea324d2ae08a0473e98498bfc

  • SHA1

    2f11fa59b4d2c64863881e8084c15c89da09c190

  • SHA256

    1b6fc736726745e4d745f373d11ab661bd27db662a6e833b21678c193c06a88c

  • SHA512

    d58be72762e83d358330cf8bc7801665e37909f5c7f94fbf0eb6133096c831cdf543598f7ea15f98bfd877966967f0939b8a99b555f8591eeae312452f9affe4

Score
10/10
icedid3825802847bankertrojan

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://peragumer.com/vdj39dyg3ref/1.dll
xlm40.dropper

http://peragumer.com/vdj39dyg3ref/2.dll
xlm40.dropper

http://peragumer.com/vdj39dyg3ref/3.dll

Extracted

Family

icedid

Campaign

3825802847

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 6 IoCs
  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SW-1186978918.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Sdusr\xgxa.ocx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\system32\regsvr32.exe
        C:\Sdusr\xgxa.ocx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1244 -s 420
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1676
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Sdusr\xgxc.ocx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\system32\regsvr32.exe
        C:\Sdusr\xgxc.ocx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1656 -s 244
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Sdusr\xgxd.ocx
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\regsvr32.exe
        C:\Sdusr\xgxd.ocx
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 956 -s 244
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Sdusr\xgxa.ocx
    MD5

    b62b9fd07b07803cc8e44785dc8d5836

    SHA1

    060a7f2c6cc60aa92f9badcb222fd88b9755fb75

    SHA256

    9858bc82710e11d9593a87706c0697bffdc6ad667db1f66c3087f0edccf2ab06

    SHA512

    cbdabe4c576ebcea43aee39c5692990cf423fa849eb2e37db0ed1e7fca1c2943cfff8979f8c9861ce0474157ab26fc6f37b065f6244513786ddda389992157e7

    Download Submit

  • C:\Sdusr\xgxc.ocx
    MD5

    a10ec4e41eeb5e25ad1511388c1eb8f8

    SHA1

    318dbacfcb791aa997ea5ed2110a81731fd43c06

    SHA256

    e1ec1ad646095396256fd932981e3996314597b916d4a27c2fcd81e9ee2a52cf

    SHA512

    5ebeea0a927701f440e8a85bfc9153fb6bade0996c18c051fd8b381d7de02a68950e5fd0572ea149d10e07a7dcdc34fccb44b40cf612856d52e2dd8f78bf044c

    Download Submit

  • C:\Sdusr\xgxd.ocx
    MD5

    eda4e741af2c0316ee18ad2651059d92

    SHA1

    5bd12244ddb2e6fde14bc67a66ef8d287e37a0d1

    SHA256

    50165bf93643c3ee448eb480217442f19567918b7ea98722bb404e7fea558a2b

    SHA512

    6268417a843c9a815fa49c1ed41a8736669f4ad47314a84b67c8eb70843b041b8925b839ec557315f576e603c8bef63664c7ac0d3fc06378a13d7c8f09489d55

    Download Submit

  • \Sdusr\xgxa.ocx
    MD5

    b62b9fd07b07803cc8e44785dc8d5836

    SHA1

    060a7f2c6cc60aa92f9badcb222fd88b9755fb75

    SHA256

    9858bc82710e11d9593a87706c0697bffdc6ad667db1f66c3087f0edccf2ab06

    SHA512

    cbdabe4c576ebcea43aee39c5692990cf423fa849eb2e37db0ed1e7fca1c2943cfff8979f8c9861ce0474157ab26fc6f37b065f6244513786ddda389992157e7

    Download Submit

  • \Sdusr\xgxa.ocx
    MD5

    b62b9fd07b07803cc8e44785dc8d5836

    SHA1

    060a7f2c6cc60aa92f9badcb222fd88b9755fb75

    SHA256

    9858bc82710e11d9593a87706c0697bffdc6ad667db1f66c3087f0edccf2ab06

    SHA512

    cbdabe4c576ebcea43aee39c5692990cf423fa849eb2e37db0ed1e7fca1c2943cfff8979f8c9861ce0474157ab26fc6f37b065f6244513786ddda389992157e7

    Download Submit

  • \Sdusr\xgxc.ocx
    MD5

    a10ec4e41eeb5e25ad1511388c1eb8f8

    SHA1

    318dbacfcb791aa997ea5ed2110a81731fd43c06

    SHA256

    e1ec1ad646095396256fd932981e3996314597b916d4a27c2fcd81e9ee2a52cf

    SHA512

    5ebeea0a927701f440e8a85bfc9153fb6bade0996c18c051fd8b381d7de02a68950e5fd0572ea149d10e07a7dcdc34fccb44b40cf612856d52e2dd8f78bf044c

    Download Submit

  • \Sdusr\xgxc.ocx
    MD5

    a10ec4e41eeb5e25ad1511388c1eb8f8

    SHA1

    318dbacfcb791aa997ea5ed2110a81731fd43c06

    SHA256

    e1ec1ad646095396256fd932981e3996314597b916d4a27c2fcd81e9ee2a52cf

    SHA512

    5ebeea0a927701f440e8a85bfc9153fb6bade0996c18c051fd8b381d7de02a68950e5fd0572ea149d10e07a7dcdc34fccb44b40cf612856d52e2dd8f78bf044c

    Download Submit

  • \Sdusr\xgxd.ocx
    MD5

    eda4e741af2c0316ee18ad2651059d92

    SHA1

    5bd12244ddb2e6fde14bc67a66ef8d287e37a0d1

    SHA256

    50165bf93643c3ee448eb480217442f19567918b7ea98722bb404e7fea558a2b

    SHA512

    6268417a843c9a815fa49c1ed41a8736669f4ad47314a84b67c8eb70843b041b8925b839ec557315f576e603c8bef63664c7ac0d3fc06378a13d7c8f09489d55

    Download Submit

  • \Sdusr\xgxd.ocx
    MD5

    eda4e741af2c0316ee18ad2651059d92

    SHA1

    5bd12244ddb2e6fde14bc67a66ef8d287e37a0d1

    SHA256

    50165bf93643c3ee448eb480217442f19567918b7ea98722bb404e7fea558a2b

    SHA512

    6268417a843c9a815fa49c1ed41a8736669f4ad47314a84b67c8eb70843b041b8925b839ec557315f576e603c8bef63664c7ac0d3fc06378a13d7c8f09489d55

    Download Submit

  • memory/956-77-0x0000000000120000-0x000000000012F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1060-79-0x0000000001C40000-0x0000000001C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1084-81-0x0000000001B40000-0x0000000001B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1244-67-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1244-74-0x00000000003A0000-0x00000000003AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1396-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1396-56-0x0000000070F21000-0x0000000070F23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1396-55-0x000000002F611000-0x000000002F614000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1396-58-0x0000000071F0D000-0x0000000071F18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1676-76-0x0000000001C20000-0x0000000001C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-59-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

    Filesize

    8KB

    Download