2020-09-17 (Thursday) TA551 (Shathak) Word docs pushing IcedID

1. 2020-09-17 (THURSDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
2.  
3. CHAIN OF EVENTS:
4.  
5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
6.  
7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
8.  
9. - 2c9638c033bce20c40f600de6d7c2462dd1cde8964416609bcb5b737846f9e27 adjure.09.17.2020.doc
10. - 454b4158285e38304a09aa563ae64d63a555fa288bcca9abbb33a8da4b62e67a adjure_09.20.doc
11. - b338bf704cbdcf2cd949974e5c1b76e16df69c975c9736571a6f30753a6f02d2 bid 09.17.2020.doc
12. - 51798d1dc563782372d76ea34750802554f0eb3f519f321926ee73566e39dca1 command 09.20.doc
13. - 503bd08da5457f6b520479ec0611b93ae9064ef69a9b160ae94f9c46fd42dbb1 details 09.17.2020.doc
14. - 8dd8c88ad6966fa3a72904c7df0ff42867c06fd07670947b92a9908b6c53219b docs.09.20.doc
15. - c46868add39e4ebca74f73c8d3d54abe4cdb11cacac92065227bf82fdaff190e enjoin 09.17.2020.doc
16. - 044b69875fa520c2c005c4a80131116cc0eb46395717d4b997a363a5809d41fe figures 09.17.2020.doc
17. - 3a09f9c3af7ead734054a93ee27139efa6fa6bb2e92ad9e08e08266024159cec files 09.17.2020.doc
18. - 3f3ee7b06c0e20bda4e2654ccdd3288e7f2669d675eb7d316c0880704986c28b files 09.20.doc
19. - 6d66748213eccb7dad819da9dd2e88ceb2c426ed668805bde513f5e1a9d5f71e instrument indenture,09.20.doc
20. - 77b1a1bde83e2f3a6b282529074e22669c967b34a08ac09d43d78ed70234ef5c intelligence-09.17.20.doc
21. - 46edf64e6a58d67ecdc25e2084e0aa320583367f543439f2f3620c0e5566c536 legal agreement_09.17.2020.doc
22. - 467b9d3e4c3e1b25cd6e6de004331511197cfecd16aad46f3252b10f554571dc legal agreement_09.20.doc
23. - b8b928c892d2023679fae63870ff4a18e9158ab1c7def1a4070c833b0edc9aa5 legislate,09.17.2020.doc
24. - ff40d50e1e5ede99e3193d26253816be4d4e3931f8ae429a0628265c7d5233ec ordain.09.20.doc
25. - c2b2c36520c9516d6a780deeee5e4559e698dff96674b8c240f22024d7a5872c report 09.20.doc
26. - 22aa60b43cf539d0bbd584d2db4fca99ed9f87b76dd9704085557b0cfea16a47 report.09.17.2020.doc
27. - 0d952dd0a8c3cf20d96269842e82fe263f40074c936df5b8380ef94d2904aa86 report.09.20.doc
28. - b174ad2027ba5b61237d4e1b7bc2f7320b610fe0835be34f4a961016a687a831 specifics_09.20.doc
29.  
30. AT LEAST 8 DOMAINS HOSTING THE ICEDID DLL:
31.  
32. - c6ut9we[.]com - 87.251.64[.]4
33. - g94ju4[.]com - 89.235.184[.]190
34. - gjb3sd1[.]com - 185.118.165[.]230
35. - m6vtrk[.]com - 77.222.52[.]177
36. - p3gcak[.]com - 185.117.73[.]59
37. - pvi24bu[.]com - 185.219.41[.]156
38. - ue4j6g[.]com - 194.40.243[.]128
39. - xgsxdae[.]com - 62.109.2[.]150
40.  
41. URLS FOR ICEDID DLL:
42.  
43. - GET /myzyn/mevap.php?l=fuzo1.cab
44. - GET /myzyn/mevap.php?l=fuzo2.cab
45. - GET /myzyn/mevap.php?l=fuzo3.cab
46. - GET /myzyn/mevap.php?l=fuzo4.cab
47. - GET /myzyn/mevap.php?l=fuzo5.cab
48. - GET /myzyn/mevap.php?l=fuzo6.cab
49. - GET /myzyn/mevap.php?l=fuzo7.cab
50. - GET /myzyn/mevap.php?l=fuzo8.cab
51. - GET /myzyn/mevap.php?l=fuzo9.cab
52. - GET /myzyn/mevap.php?l=fuzo10.cab
53. - GET /myzyn/mevap.php?l=fuzo11.cab
54. - GET /myzyn/mevap.php?l=fuzo12.cab
55.  
56. 14 EXAMPLES OF ICEDID INSTALLER DLLS:
57.  
58. - 23be804db20cb450cf53fc82143ac34b9e741035c511af3e5c9880e7b3a70b3a
59. - 3626c5c04745f7318a313d26345c7c16450ff57b1a22fba0e57f8e03de0b8946
60. - 4df39fd80257e14192e2d2edc4500883edd7921e0be92d664ec4b995d8f82f24
61. - 530001e38045813d7276694c428b64b4dc5a15b77f2b3cc757f64b8d34bcf815
62. - 55bc7ae7ab1017eb75387291424a67b9655d52e9357005caacbbb997dada592c
63. - 6571b88739b154807adbbe7b8d3ff75543887405f066489fb773a2186b862132
64. - 74c2d430eb964fbf5b3a1e37bb6f8770e571ef8998f71d945a479bba4a42d2cc
65. - 9c2b9591aa625e3dd4d8eae345b24e331bf731c9d5fa6455ac8e79bd6ec5d0d0
66. - 9f8ff8da154960d17a3225675a85372e7a70aca93df8bdfb887eb22c16b4dfe3
67. - a95efda438fdee4b4866287c2cfe9d89772a46c5d9d22377c8c63e43b2c93295
68. - ab08d113bb0f4fb6aa96997d03853aac162f93d8e6926de224186ab35255f310
69. - b5399025d73dfb850df68017dfa81ce5f83bd9eeb7db056fffeca55ad3bcea65
70. - c91847b9b00dddebd4f694412f2cc4c7346c15aa3cda2da856d9b0860a17ec50
71. - d67e1fd5d40e841c1aedbbf65d5f72a69da5ac54e48ae92da1f428c9f18d8363
72.  
73. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
74.  
75. - C:\Users\[username]\Documents\b163d.pdf
76. - C:\Users\[username]\Documents\ea799.pdf
77. - C:\Users\[username]\Documents\f34b1.pdf
78. - C:\[same directory as the Word doc]\a8635.pdf
79. - C:\[same directory as the Word doc]\b163d.pdf
80. - C:\[same directory as the Word doc]\d9a97.pdf
81. - C:\[same directory as the Word doc]\dd009.pdf
82. - C:\[same directory as the Word doc]\e6503.pdf
83. - C:\[same directory as the Word doc]\ea799.pdf
84. - C:\[same directory as the Word doc]\edcf3.pdf
85.  
86. DLL RUN METHOD:
87.  
88. - regsvr32.exe [filename]
89.  
90. AT LEAST 2 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
91.  
92. - 142.93.218[.]110 - port 443 - ldrmercury[.]casa - GET /background.png
93. - 134.122.55[.]164 port 443 - ldrstar[.]casa - GET /background.png
94.  
95. 1 EXAMPLE OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
96.  
97. - eb413325acbb2ea289969e834c5237fc6376073f24674b7760d45b94dfaf8755
98.  
99. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID EXE FILE:
100.  
101. - 79.141.171[.]183 port 443 - gaagachelo[.]cyou
102. - 79.141.171[.]183 port 443 - odnovoennbundes[.]cyou
103.  
104. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
105.  
106. - port 443 - www.intel.com
107. - port 443 - support.oracle.com
108. - port 443 - www.oracle.com
109. - port 443 - support.apple.com
110. - port 443 - support.microsoft.com
111. - port 443 - help.twitter.com