Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
26-09-2022 17:21
General
-
Target
myfairpointinvoice09.26.22.docm
-
Size
866KB
-
MD5
703830ca555b2fa4014f7056708419fc
-
SHA1
1334639b4ac131fe5ea08ff387a363688467b0e4
-
SHA256
35637fabcfe49e7bf98dab87893339ed7da653369921b729ad28ccc8767b7dcc
-
SHA512
6792869fa6e4bac97add13ccd284d66e8f8e486cb6a0db3807725111c3bb33ae6b141a2ce918c634cdacae26f067e341aa97bc8fd6da1f41d3ff595ec3a62b2d
-
SSDEEP
12288:tZzjDVE9j2y+1JbeQbntrws6/GYzw6OFokpXfiiGef/DEZa9AHz5H9f8XAMfB:vDV2jUeQRI5wPN/QT5B8xZ
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
742081363
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\myfairpointinvoice09.26.22.docm"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\1849p005.5i5,PluginInit2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\1849p005.5i5,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1849p005.5i5Filesize
532KB
MD52cc9ffe6820eaf3e8df04585de5de892
SHA17951a3fd3d2b2ca308cc4f723c5cd3c53e2bb798
SHA2563a1971cd3e0008ea44aed10ce75022879464af0bc52039d649eb2d1e10e4ccf0
SHA512c0f3263c58a35c9f67e038f060dd336908ce0a47ee7b2dfc36494e25b71960f9ba1903b06df86ee21649da8db23840c74b3cebe3185fe2da49530d0d93071bdb
-
\ProgramData\1849p005.5i5Filesize
532KB
MD52cc9ffe6820eaf3e8df04585de5de892
SHA17951a3fd3d2b2ca308cc4f723c5cd3c53e2bb798
SHA2563a1971cd3e0008ea44aed10ce75022879464af0bc52039d649eb2d1e10e4ccf0
SHA512c0f3263c58a35c9f67e038f060dd336908ce0a47ee7b2dfc36494e25b71960f9ba1903b06df86ee21649da8db23840c74b3cebe3185fe2da49530d0d93071bdb
-
\ProgramData\1849p005.5i5Filesize
532KB
MD52cc9ffe6820eaf3e8df04585de5de892
SHA17951a3fd3d2b2ca308cc4f723c5cd3c53e2bb798
SHA2563a1971cd3e0008ea44aed10ce75022879464af0bc52039d649eb2d1e10e4ccf0
SHA512c0f3263c58a35c9f67e038f060dd336908ce0a47ee7b2dfc36494e25b71960f9ba1903b06df86ee21649da8db23840c74b3cebe3185fe2da49530d0d93071bdb
-
memory/596-231-0x0000000000000000-mapping.dmp
-
memory/596-239-0x0000000001AC0000-0x0000000001AC6000-memory.dmpFilesize
24KB
-
memory/1772-227-0x0000000000000000-mapping.dmp
-
memory/1776-240-0x0000000000000000-mapping.dmp
-
memory/1788-89-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-70-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-58-0x000000007149D000-0x00000000714A8000-memory.dmpFilesize
44KB
-
memory/1788-59-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-60-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-61-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-62-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-91-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-64-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-66-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-65-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-67-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-68-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-94-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-69-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-73-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-74-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-93-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-77-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-76-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-78-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-79-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-80-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-81-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-82-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-83-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-84-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-87-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-88-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1788-90-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-92-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-63-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-57-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/1788-75-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-95-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-96-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-98-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-97-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-101-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-102-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-104-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-103-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-105-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-106-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-108-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-107-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-109-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-110-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-112-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-111-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-115-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-116-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-118-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-117-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-119-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-120-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-122-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-55-0x00000000704B1000-0x00000000704B3000-memory.dmpFilesize
8KB
-
memory/1788-54-0x0000000072A31000-0x0000000072A34000-memory.dmpFilesize
12KB
-
memory/1788-121-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-123-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-124-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-126-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-125-0x00000000005A2000-0x00000000005A6000-memory.dmpFilesize
16KB
-
memory/1788-242-0x000000007149D000-0x00000000714A8000-memory.dmpFilesize
44KB
-
memory/1788-244-0x000000007149D000-0x00000000714A8000-memory.dmpFilesize
44KB