Analysis
-
max time kernel
103s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
26-09-2022 17:58
General
-
Target
letsachievehealth.doc.09.26.22.docm
-
Size
867KB
-
MD5
2f6c56f5be2405f2cd528e0629958810
-
SHA1
a11e8627742ea4a5e60d21fa62ab3b442adb51c5
-
SHA256
284250c6ed4cce821821c36bcb7782d27c3a095fd24fb761ad4d86bb454e0af3
-
SHA512
dbcee7fc83801418a79057f1bb14aa9a4744fec43a34b61d2ca5eb548f32a7272d8a44d566f22b7a84b11fa60abf01d1a0831b75f25678c1535faf074106a817
-
SSDEEP
12288:uVE9j2y+1JbeQbntrws6/GYzw6OFokpXfiiGef/DE7+uMesywD/XA67Gr:uV2jUeQRI5wPN/UlQD/w6q
Score
10/10
Malware Config
Extracted
Family
icedid
Campaign
742081363
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\letsachievehealth.doc.09.26.22.docm"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\ProgramData\35263v72.203,PluginInit2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 C:\ProgramData\35263v72.203,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\35263v72.203Filesize
532KB
MD500aceaee5cebbf1ba768a797e51dfe5d
SHA1f540a39476dca6575ed6aaae1caec797162d2543
SHA256ef8807f75f0321a5f9587b33cc6ff7b9f3e426a8d73f062edce9005fb5dedbd6
SHA512000fb348e9f9bf41d0a0bab42554ac00959b651f49f2d129dda64b0b4fe2a9b54afdf7fe1d3fe37e16446cdca21c795a83f45b82dff41ada678d54807b008ed0
-
\ProgramData\35263v72.203Filesize
532KB
MD500aceaee5cebbf1ba768a797e51dfe5d
SHA1f540a39476dca6575ed6aaae1caec797162d2543
SHA256ef8807f75f0321a5f9587b33cc6ff7b9f3e426a8d73f062edce9005fb5dedbd6
SHA512000fb348e9f9bf41d0a0bab42554ac00959b651f49f2d129dda64b0b4fe2a9b54afdf7fe1d3fe37e16446cdca21c795a83f45b82dff41ada678d54807b008ed0
-
\ProgramData\35263v72.203Filesize
532KB
MD500aceaee5cebbf1ba768a797e51dfe5d
SHA1f540a39476dca6575ed6aaae1caec797162d2543
SHA256ef8807f75f0321a5f9587b33cc6ff7b9f3e426a8d73f062edce9005fb5dedbd6
SHA512000fb348e9f9bf41d0a0bab42554ac00959b651f49f2d129dda64b0b4fe2a9b54afdf7fe1d3fe37e16446cdca21c795a83f45b82dff41ada678d54807b008ed0
-
memory/1496-239-0x0000000000000000-mapping.dmp
-
memory/1528-86-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-60-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1528-57-0x0000000075021000-0x0000000075023000-memory.dmpFilesize
8KB
-
memory/1528-58-0x000000007119D000-0x00000000711A8000-memory.dmpFilesize
44KB
-
memory/1528-89-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-59-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-61-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-62-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-64-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-90-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-65-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-66-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-68-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-67-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-69-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-70-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-72-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-71-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-73-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-74-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-76-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-75-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-77-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-78-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-80-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-79-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-81-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-83-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-88-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-85-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-84-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-54-0x0000000072731000-0x0000000072734000-memory.dmpFilesize
12KB
-
memory/1528-87-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-82-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-55-0x00000000701B1000-0x00000000701B3000-memory.dmpFilesize
8KB
-
memory/1528-63-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-91-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-92-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-94-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-93-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-96-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-95-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-98-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-97-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-100-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-99-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-101-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-102-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-103-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-105-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-104-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-106-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-107-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-108-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-110-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-109-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-111-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-112-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-114-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-113-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-116-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-115-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-117-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-118-0x0000000000631000-0x0000000000635000-memory.dmpFilesize
16KB
-
memory/1528-242-0x000000007119D000-0x00000000711A8000-memory.dmpFilesize
44KB
-
memory/1528-244-0x000000007119D000-0x00000000711A8000-memory.dmpFilesize
44KB
-
memory/1712-231-0x0000000000000000-mapping.dmp
-
memory/1712-240-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/1716-227-0x0000000000000000-mapping.dmp