Behavioral Report

max time kernel150s
max time network154s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted21-05-2022 10:43

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

ord_482.docm

Filesize

266KB

Completed

21-05-2022 10:46

Task

behavioral2

Score

10^/10

MD5

bf61de5c8c5da0b79f0fccca3c4f5e04

SHA1

ce568d2e8d9c1c86a8caf54bbaa85b80984b5cbe

SHA256

eee5599e3d990a109e7346469d8739d184628192831144da80e69244ebdb19d0

SHA512

a55fc8f2bc6cb96c730331a9bd4d5a46a86008f7ed0b09b5c587246a8a370dba01e0227926aa01ab590b3df1fb7662d48c5b2966a651d05a7fe32bc5208379e8

icedid banker loader trojan

Extracted

Family	icedid
C2	3chickens.pw 3chickens.pw

Discovery

IcedID, BokBot

Description

IcedID is a banking trojan capable of stealing credentials.

Tags

trojan banker icedid

IcedID First Stage Loader

Reported IOCs

resource	yara_rule
behavioral2/memory/1184-141-0x00000000005B0000-0x00000000005B6000-memory.dmp	IcedidFirstLoader
behavioral2/memory/1184-144-0x0000000000480000-0x0000000000483000-memory.dmp	IcedidFirstLoader

Executes dropped EXE
Dwpeokfds.exe

Reported IOCs

pid process

1184 Dwpeokfds.exe

pid	process
1184	Dwpeokfds.exe

Checks processor information in registry

WINWORD.EXE

Description

Processor information is often read in order to detect sandboxing environments.

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry

WINWORD.EXE

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener
WINWORD.EXE

Reported IOCs

pid process

5016 WINWORD.EXE
5016 WINWORD.EXE
Suspicious use of FindShellTrayWindow
WINWORD.EXE

Reported IOCs

pid process

5016 WINWORD.EXE
5016 WINWORD.EXE
Suspicious use of SetWindowsHookEx
WINWORD.EXE

Reported IOCs

pid process

5016 WINWORD.EXE
5016 WINWORD.EXE
5016 WINWORD.EXE
5016 WINWORD.EXE
5016 WINWORD.EXE
5016 WINWORD.EXE

pid	process
5016	WINWORD.EXE
5016	WINWORD.EXE

pid	process
5016	WINWORD.EXE
5016	WINWORD.EXE

pid	process
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE

Suspicious use of WriteProcessMemory

WINWORD.EXE

Reported IOCs

description	pid	process	target process
PID 5016 wrote to memory of 3632	5016	WINWORD.EXE	splwow64.exe
PID 5016 wrote to memory of 3632	5016	WINWORD.EXE	splwow64.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ord_482.docm" /o ""

Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:5016

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

PID:3632

\??\c:\filelogger\Dwpeokfds.exe

c:\filelogger\Dwpeokfds.exe

Executes dropped EXE

PID:1184

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\filelogger\Dwpeokfds.exe
MD5
595dbd6bc516042c44c30e809e9fd999

SHA1
cad305ce9097168c021f9098d5ed88c7e5245c32

SHA256
7a6246028972eb47a29923f907152935c24e91a9e3df714b3673beac818bfac9

SHA512
4ed8843919e0ae646e80ce1a6d4adca616e57758f1f30bd3e04261c4d27ea7d9abe7ad5348ad9f2430a56739279dc0ce03bd10d6366119f5f6c88cb600812e1c

Download Submit
\??\c:\filelogger\Dwpeokfds.exe
MD5
595dbd6bc516042c44c30e809e9fd999

SHA1
cad305ce9097168c021f9098d5ed88c7e5245c32

SHA256
7a6246028972eb47a29923f907152935c24e91a9e3df714b3673beac818bfac9

SHA512
4ed8843919e0ae646e80ce1a6d4adca616e57758f1f30bd3e04261c4d27ea7d9abe7ad5348ad9f2430a56739279dc0ce03bd10d6366119f5f6c88cb600812e1c

Download Submit
memory/1184-144-0x0000000000480000-0x0000000000483000-memory.dmp

Download
memory/1184-141-0x00000000005B0000-0x00000000005B6000-memory.dmp

Download
memory/3632-138-0x0000000000000000-mapping.dmp

Download
memory/5016-130-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-136-0x00007FF9897B0000-0x00007FF9897C0000-memory.dmp

Download
memory/5016-137-0x000001FD8EAA0000-0x000001FD8EAA4000-memory.dmp

Download
memory/5016-135-0x00007FF9897B0000-0x00007FF9897C0000-memory.dmp

Download
memory/5016-134-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-133-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-131-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-132-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-146-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-147-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-148-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download
memory/5016-149-0x00007FF98BBD0000-0x00007FF98BBE0000-memory.dmp

Download

Extracted

Filter: none

Description

Tags

Tags

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title