Overview

overview

10

Static

static

8

document-037.rtf.docm

windows7-x64

10

document-037.rtf.docm

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2022 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    document-037.rtf.docm

  • Size

    2.1MB

  • MD5

    df15eb810cb2982cf23fd8e74a545a34

  • SHA1

    4390d2a3221a426e9ab3c1b0842728b9a3ff0a38

  • SHA256

    83d6dbc86af826ea02bbb978510c92ffe95bb276ef59a76dc891b68e3fda11c3

  • SHA512

    60fb96540ea9df2b715fa1ffc5e50cc0bc21670e73db324c945dab49cde23c5c89e045172d9c974fb529e898c0dd8d897145f5e0dcc8fd4d330476657c927fad

  • SSDEEP

    49152:CtGKkgl5R/4NurkXDYqM/JDK6M3fKgDaKT:6GKk0DHkX8hDK9igDh

Score
10/10
icedid3281798692bankerloadertrojan

Malware Config

Extracted

Family

icedid

Campaign

3281798692

C2

kolinandod.com

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-037.rtf.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 c:\ProgramData\xxx.dll,#1
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\xxx.dll
    Filesize

    703KB

    MD5

    9191c6f8192a98ef3252d0430bcb6185

    SHA1

    6027fc9cee2a9992f2d7426480177a27f517e7ce

    SHA256

    84a706c8ef5875aa37842d475c96f913aa3bd71426d1ecad044f2fe7aa7ebd80

    SHA512

    5a3721acbe9392ef176413ec7b7f2326c690ced0fdc5a0cd28d66b982ca031eff07b09fca44f22d8f4ce810fcdc2ec88a2465823d5aa10b7cb51f40b4f8c1ffc

    Download Submit

  • \??\c:\ProgramData\xxx.dll
    Filesize

    703KB

    MD5

    9191c6f8192a98ef3252d0430bcb6185

    SHA1

    6027fc9cee2a9992f2d7426480177a27f517e7ce

    SHA256

    84a706c8ef5875aa37842d475c96f913aa3bd71426d1ecad044f2fe7aa7ebd80

    SHA512

    5a3721acbe9392ef176413ec7b7f2326c690ced0fdc5a0cd28d66b982ca031eff07b09fca44f22d8f4ce810fcdc2ec88a2465823d5aa10b7cb51f40b4f8c1ffc

    Download Submit

  • memory/4028-144-0x00007FFAE43E0000-0x00007FFAE4494000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4028-145-0x0000000180000000-0x0000000180009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4248-134-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-138-0x00007FFAC0240000-0x00007FFAC0250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-139-0x0000025373859000-0x000002537385B000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4248-137-0x00007FFAC0240000-0x00007FFAC0250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-135-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-133-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-143-0x0000025373859000-0x000002537385B000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4248-132-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-136-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-152-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-154-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-153-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4248-155-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

    Filesize

    64KB

    Download