icedid | a26e330a51c92db77f11f8103178544ce0d93d96e4da7c698d898df4a2044ccf

Analysis

max time kernel
584s
max time network
535s
platform
windows10_x64
resource
win10-20220223-en
submitted
29-03-2022 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document-05.docm
Size

524KB
MD5

fa54bc46029ffb9c32b1ef2d70f86296
SHA1

466635469cb7ab2d4d0359e35110906e726204a8
SHA256

a26e330a51c92db77f11f8103178544ce0d93d96e4da7c698d898df4a2044ccf
SHA512

b664a04d7bc6608191652041a275dc44002201046fcecb37b1e53d81df147dd6c7d9939a24e290a505f49b173d9c1df29e19334dbb3672f182f90381b094ecb8

Score

10^/10

icedid 1798566902 banker loader trojan

Malware Config

Extracted

Family

icedid

Campaign

1798566902

rivertimad.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

IcedID First Stage Loader 1 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/3712-279-0x0000000140000000-0x000000014000B000-memory.dmp	IcedidFirstLoader

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

y177D.tmp.exey75DC.tmp.exe

pid process

3712 y177D.tmp.exe
1568 y75DC.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1288 3712 WerFault.exe y177D.tmp.exe
3844 1568 WerFault.exe y75DC.tmp.exe

pid	process
3712	y177D.tmp.exe
1568	y75DC.tmp.exe

pid	pid_target	process	target process
1288	3712	WerFault.exe	y177D.tmp.exe
3844	1568	WerFault.exe	y75DC.tmp.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3908 WINWORD.EXE
3908 WINWORD.EXE
4040 WINWORD.EXE
4040 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3732 powershell.exe
3732 powershell.exe
3732 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3732 powershell.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3908 WINWORD.EXE
3908 WINWORD.EXE
4040 WINWORD.EXE
4040 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings	cmd.exe

pid	process
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3732	powershell.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
3908	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXEpowershell.execmd.exeWINWORD.EXE

description	pid	process	target process
PID 3908 wrote to memory of 3712	3908	WINWORD.EXE	y177D.tmp.exe
PID 3908 wrote to memory of 3712	3908	WINWORD.EXE	y177D.tmp.exe
PID 3732 wrote to memory of 3076	3732	powershell.exe	cmd.exe
PID 3732 wrote to memory of 3076	3732	powershell.exe	cmd.exe
PID 3076 wrote to memory of 4040	3076	cmd.exe	WINWORD.EXE
PID 3076 wrote to memory of 4040	3076	cmd.exe	WINWORD.EXE
PID 4040 wrote to memory of 1568	4040	WINWORD.EXE	y75DC.tmp.exe
PID 4040 wrote to memory of 1568	4040	WINWORD.EXE	y75DC.tmp.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-05.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exe
C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exe
2⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3712 -s 172
3⤵
- Program crash
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-05.docm" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exe
C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exe
4⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1568 -s 172
5⤵
- Program crash
PID:3844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
f1f68c8b8f4507b627f680096c95fce7

SHA1
df85bf837dd4e7251c49e1d7d56ebcbbc3930a1f

SHA256
0fb188cc09c9fe20fe6f24b2e536eab9a060bc711bd4ca77728deadadb69a624

SHA512
862bc5f3d612fa9874d39ee961bf7cbb7c68a8a23f4dbd1db8e061c8632f9ee763193468c76a10d087a4dccd646a4c5cab88e1cf6bfd56704aafd90745bc5e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
b294a4ccdb30bb94ed5b10837e0b63b3

SHA1
b7771dd1406c5da85ae8137fb9fccf5e14240aff

SHA256
5820a9583c5cc834add7beb5286c399b5ec9c4ff908bf395b3f555c6f4f40460

SHA512
17d725d98a2cae30eecbe019c6237c495db4a6d62b47509fb8328ab853a4ea1db417a66f578ca68e17c0d8849c2fb69722d06c6c82b45be9da0bb531b045f340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\53032ABC-5010-4F97-BB2D-FC936397B773
Filesize
142KB

MD5
15820c463b1c1dfb8d5ffa1b0710ef70

SHA1
ace33152c61f5c274062e851f615854982db87aa

SHA256
12e18a3d3f4486adb6e2e0195ef30a929c336810e6f7fb2f40fea6a8a955a9ca

SHA512
b1fde2a75b4f1b286fb1c3cb18780babcacb16c81828f8a4b7bc30779b75aadf37550225d70e3f42bfeeabff15b6aaf9df4e1055bcfa409e250c404b79962c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
306KB

MD5
299cf5ea41d183f6963a6c552c663fd9

SHA1
feffbb799532a9ee58e26a2943740ebaef610639

SHA256
019bd59bd49dcff430ab72c68525bd43b3c9eb286e20737220b1ac884937c2dd

SHA512
1b882bcb4151b5c9cbbfdbd55374b998b41a3e8911b9cb8ad861608d3f7c5956dcfb866858b9b11af84e0698e2b2ba442687ad76a5f435a15d83c190b636f23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSJA3W85\loader3[1].exe
Filesize
104KB

MD5
bf5309d3536cb55f8a052ad35576866f

SHA1
db0d76c50077280cc66b6d7c0084472575c235f8

SHA256
a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841

SHA512
ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exe
Filesize
104KB

MD5
bf5309d3536cb55f8a052ad35576866f

SHA1
db0d76c50077280cc66b6d7c0084472575c235f8

SHA256
a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841

SHA512
ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exe
Filesize
104KB

MD5
bf5309d3536cb55f8a052ad35576866f

SHA1
db0d76c50077280cc66b6d7c0084472575c235f8

SHA256
a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841

SHA512
ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exe
Filesize
104KB

MD5
bf5309d3536cb55f8a052ad35576866f

SHA1
db0d76c50077280cc66b6d7c0084472575c235f8

SHA256
a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841

SHA512
ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exe
Filesize
104KB

MD5
bf5309d3536cb55f8a052ad35576866f

SHA1
db0d76c50077280cc66b6d7c0084472575c235f8

SHA256
a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841

SHA512
ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
bd788039c10fd3493017c9c7daedcf9c

SHA1
b1be994f8b60e24566765c4411a5eb2fa70c194c

SHA256
f12afc5b02007e2a962bd25ca9c79fc44ac0c131bfe15424b09e2ba737a35cc7

SHA512
893b7da4291d55e2d73edb0e2990508ac6053e8474acdbaad096a2f2f81647f3f91fb71070b8be8dac4b4f22df85ca92ac1de01d5027986761f26f9c19fe8754

Download Submit
memory/1568-671-0x0000000000000000-mapping.dmp

Download
memory/3076-482-0x0000000000000000-mapping.dmp

Download
memory/3712-279-0x0000000140000000-0x000000014000B000-memory.dmp

Filesize
44KB

Download
memory/3712-276-0x0000000000000000-mapping.dmp

Download
memory/3732-466-0x0000023FCD3E0000-0x0000023FCD456000-memory.dmp

Filesize
472KB

Download
memory/3732-465-0x0000023FCC593000-0x0000023FCC595000-memory.dmp

Filesize
8KB

Download
memory/3732-464-0x0000023FCC590000-0x0000023FCC592000-memory.dmp

Filesize
8KB

Download
memory/3732-453-0x0000023FB4270000-0x0000023FB42AC000-memory.dmp

Filesize
240KB

Download
memory/3732-434-0x0000023FB3E10000-0x0000023FB3E32000-memory.dmp

Filesize
136KB

Download
memory/3908-270-0x00000130472BC000-0x0000013047335000-memory.dmp

Filesize
484KB

Download
memory/3908-265-0x00000130471C4000-0x00000130471C6000-memory.dmp

Filesize
8KB

Download
memory/3908-426-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-115-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-116-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-425-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-114-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-428-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-271-0x000001304B8F0000-0x000001304B92F000-memory.dmp

Filesize
252KB

Download
memory/3908-117-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/3908-427-0x00007FF82C880000-0x00007FF82C890000-memory.dmp

Filesize
64KB

Download
memory/4040-485-0x0000000000000000-mapping.dmp

Download
memory/4040-666-0x000001D3D34D0000-0x000001D3D350F000-memory.dmp

Filesize
252KB

Download
memory/4040-665-0x000001D3CEF5F000-0x000001D3CEFD8000-memory.dmp

Filesize
484KB

Download