Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
26-09-2022 18:27
General
-
Target
f9938f14df5d7889b1dfd3af2d529ceadf1017aa2f83337dad71ee67379d9a3d.docm
-
Size
867KB
-
MD5
85b189afdff301d576b49983c6114edf
-
SHA1
1c21f0e116869c2e336038141997b65d5c4497db
-
SHA256
f9938f14df5d7889b1dfd3af2d529ceadf1017aa2f83337dad71ee67379d9a3d
-
SHA512
86edc18aa037e62c579b62c69c9245fc9085eee8cbd31e9c40e5bc16902776bd052cf69693724fd7eb5a366117fb7ba6acad5531b2a8b60d6dd247b16df1a8aa
-
SSDEEP
12288:HkVE9j2y+1JbeQbntrws6/GYzw6OFokpXfiiGef/DEEs9KH7oRe1GIaqUR:HkV2jUeQRI5wPN/c9cEk1y
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
742081363
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f9938f14df5d7889b1dfd3af2d529ceadf1017aa2f83337dad71ee67379d9a3d.docm"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\806q2772.75u,PluginInit2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\806q2772.75u,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\806q2772.75uFilesize
532KB
MD5ba402e7c9af8a6ec5d4fe0ab01e1f42a
SHA1bd56f7d5f4be378e060f8c44e9fadd534027a23a
SHA256eb6634eb8949fafe20d9fe2ef144264425871bdb8972183804fafe652725b00a
SHA5129c8109bd8f3129fc160c0d2026520cd69cf5765df14c35bc42cf208bc0628fd50df82471dece593e22d2bd1b47daffbe194651c368bac64fd291755e844c646b
-
\ProgramData\806q2772.75uFilesize
532KB
MD5ba402e7c9af8a6ec5d4fe0ab01e1f42a
SHA1bd56f7d5f4be378e060f8c44e9fadd534027a23a
SHA256eb6634eb8949fafe20d9fe2ef144264425871bdb8972183804fafe652725b00a
SHA5129c8109bd8f3129fc160c0d2026520cd69cf5765df14c35bc42cf208bc0628fd50df82471dece593e22d2bd1b47daffbe194651c368bac64fd291755e844c646b
-
\ProgramData\806q2772.75uFilesize
532KB
MD5ba402e7c9af8a6ec5d4fe0ab01e1f42a
SHA1bd56f7d5f4be378e060f8c44e9fadd534027a23a
SHA256eb6634eb8949fafe20d9fe2ef144264425871bdb8972183804fafe652725b00a
SHA5129c8109bd8f3129fc160c0d2026520cd69cf5765df14c35bc42cf208bc0628fd50df82471dece593e22d2bd1b47daffbe194651c368bac64fd291755e844c646b
-
memory/112-89-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-96-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/112-57-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/112-58-0x0000000070B2D000-0x0000000070B38000-memory.dmpFilesize
44KB
-
memory/112-90-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-61-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-60-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-62-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-63-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-64-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-66-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-65-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-68-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-67-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-70-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-69-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-72-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-71-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-74-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-73-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-75-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-76-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-78-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-77-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-79-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-80-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-82-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-81-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-84-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-83-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-86-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-85-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-87-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-88-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-54-0x00000000720C1000-0x00000000720C4000-memory.dmpFilesize
12KB
-
memory/112-59-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-91-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-55-0x000000006FB41000-0x000000006FB43000-memory.dmpFilesize
8KB
-
memory/112-92-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-97-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-93-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-95-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-94-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-100-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-99-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-98-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-101-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-102-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-103-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-105-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-104-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-107-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-106-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-108-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-109-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-111-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-110-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-114-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-113-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-112-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-116-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-115-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-118-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-117-0x00000000006F5000-0x00000000006F9000-memory.dmpFilesize
16KB
-
memory/112-157-0x00000000006F6000-0x00000000006F8000-memory.dmpFilesize
8KB
-
memory/112-228-0x00000000006F6000-0x00000000006F8000-memory.dmpFilesize
8KB
-
memory/112-235-0x0000000070B2D000-0x0000000070B38000-memory.dmpFilesize
44KB
-
memory/112-246-0x0000000070B2D000-0x0000000070B38000-memory.dmpFilesize
44KB
-
memory/468-233-0x0000000000000000-mapping.dmp
-
memory/468-243-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/700-229-0x0000000000000000-mapping.dmp
-
memory/1696-242-0x0000000000000000-mapping.dmp