General
Target

ord_482.docm

Filesize

266KB

Completed

21-05-2022 10:46

Task

behavioral2

Score
10/10
MD5

bf61de5c8c5da0b79f0fccca3c4f5e04

SHA1

ce568d2e8d9c1c86a8caf54bbaa85b80984b5cbe

SHA256

eee5599e3d990a109e7346469d8739d184628192831144da80e69244ebdb19d0

SHA512

a55fc8f2bc6cb96c730331a9bd4d5a46a86008f7ed0b09b5c587246a8a370dba01e0227926aa01ab590b3df1fb7662d48c5b2966a651d05a7fe32bc5208379e8

Malware Config

Extracted

Family

icedid

C2

3chickens.pw

Signatures 9

Filter: none

Discovery
  • IcedID, BokBot

    Description

    IcedID is a banking trojan capable of stealing credentials.

  • IcedID First Stage Loader

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1184-141-0x00000000005B0000-0x00000000005B6000-memory.dmpIcedidFirstLoader
    behavioral2/memory/1184-144-0x0000000000480000-0x0000000000483000-memory.dmpIcedidFirstLoader
  • Executes dropped EXE
    Dwpeokfds.exe

    Reported IOCs

    pidprocess
    1184Dwpeokfds.exe
  • Checks processor information in registry
    WINWORD.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringWINWORD.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0WINWORD.EXE
  • Enumerates system info in registry
    WINWORD.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyWINWORD.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUWINWORD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    WINWORD.EXE

    Reported IOCs

    pidprocess
    5016WINWORD.EXE
    5016WINWORD.EXE
  • Suspicious use of FindShellTrayWindow
    WINWORD.EXE

    Reported IOCs

    pidprocess
    5016WINWORD.EXE
    5016WINWORD.EXE
  • Suspicious use of SetWindowsHookEx
    WINWORD.EXE

    Reported IOCs

    pidprocess
    5016WINWORD.EXE
    5016WINWORD.EXE
    5016WINWORD.EXE
    5016WINWORD.EXE
    5016WINWORD.EXE
    5016WINWORD.EXE
  • Suspicious use of WriteProcessMemory
    WINWORD.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 5016 wrote to memory of 36325016WINWORD.EXEsplwow64.exe
    PID 5016 wrote to memory of 36325016WINWORD.EXEsplwow64.exe
Processes 3
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ord_482.docm" /o ""
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      PID:3632
  • \??\c:\filelogger\Dwpeokfds.exe
    c:\filelogger\Dwpeokfds.exe
    Executes dropped EXE
    PID:1184
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\filelogger\Dwpeokfds.exe

                          MD5

                          595dbd6bc516042c44c30e809e9fd999

                          SHA1

                          cad305ce9097168c021f9098d5ed88c7e5245c32

                          SHA256

                          7a6246028972eb47a29923f907152935c24e91a9e3df714b3673beac818bfac9

                          SHA512

                          4ed8843919e0ae646e80ce1a6d4adca616e57758f1f30bd3e04261c4d27ea7d9abe7ad5348ad9f2430a56739279dc0ce03bd10d6366119f5f6c88cb600812e1c

                        • \??\c:\filelogger\Dwpeokfds.exe

                          MD5

                          595dbd6bc516042c44c30e809e9fd999

                          SHA1

                          cad305ce9097168c021f9098d5ed88c7e5245c32

                          SHA256

                          7a6246028972eb47a29923f907152935c24e91a9e3df714b3673beac818bfac9

                          SHA512

                          4ed8843919e0ae646e80ce1a6d4adca616e57758f1f30bd3e04261c4d27ea7d9abe7ad5348ad9f2430a56739279dc0ce03bd10d6366119f5f6c88cb600812e1c

                        • memory/1184-144-0x0000000000480000-0x0000000000483000-memory.dmp

                        • memory/1184-141-0x00000000005B0000-0x00000000005B6000-memory.dmp

                        • memory/3632-138-0x0000000000000000-mapping.dmp

                        • memory/5016-130-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-136-0x00007FF9897B0000-0x00007FF9897C0000-memory.dmp

                        • memory/5016-137-0x000001FD8EAA0000-0x000001FD8EAA4000-memory.dmp

                        • memory/5016-135-0x00007FF9897B0000-0x00007FF9897C0000-memory.dmp

                        • memory/5016-134-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-133-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-131-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-132-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-146-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-147-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-148-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

                        • memory/5016-149-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp