2020-11-24 (Tuesday) - TA551 (Shathak) Word docs with English template push IcedID

1. 2020-11-24 (TUESDAY) - TA551 (SHATHAK) WORD DOCS WITH ENGLISH LANGUAGE TEMPLATE PUSH ICEDID:
2.  
3. CHAIN OF EVENTS:
4.  
5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID DLL
6.  
7. 4 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
8.  
9. - 37db367c01e40ee2f05a5966d6670e07fd3292c01f4da8ffd77c0e3c96a79464 deed contract.11.20.doc
10. - 81a9a90300cb711fe2ee8ef3cd168f41a4dcb9947a36d7bcda30867360d99ea4 details-11.20.doc
11. - 3175b6ee197e76e17fe22e8176f66ecfcd2f4de7320fe51430680bfd646bab9c enjoin_11.24.2020.doc
12. - 4de0cdd480990aad05acf6c178e4711cd05bf0bc83b4c65fe0e0c0003832f5d6 material.11.20.doc
13.  
14. AT LEAST 2 DOMAINS HOSTING THE INSTALLER DLL:
15.  
16. - fu-vapor8895[.]com - 188.120.255[.]68
17. - l-laptop6658.com - 45.12.4[.]233
18.  
19. EXAMPLES OF URLS FOR INSTALLER DLL:
20.  
21. - GET /share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
22. - GET /share/kvNqzh1tF4Y8zyxtL/HQpK6K42Wr8SP9PLJSqxc5h/ROwPcKsG/dbULREqlb1Kj0_RRT/Dfnj/lxnt10
23. - GET /share/ftmGhE2v0ebFH4Ov6R3xRPcAwdPuJrrdgxEsNuRFL4MorzVrs6dRDXqY/lxnt11
24. - GET /share/bFcvKlFJrlxvKewsj5d4pQxQlUhXmWO0qOzilaW5CrJ4C0N/UdTfvkJ1QNftf2_PVj_wV98/lxnt11
25.  
26. 4 EXAMPLES OF INSTALLER DLLS:
27.  
28. - 1b145cd12882ab58ddb7bdb833e11f9e11b3eb9ce721d75cc6197f87ba4fd341
29. - 8d142bd62fdc3de06cda080afcac67b600fa29ef527a11640c928199a8610f3e
30. - cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
31. - d47cf4ec1a51c17befc01722d5ff603cfbd338ccff442669e765bf8dc20c6b54
32.  
33. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
34.  
35. - C:\Users\[username]\AppData\Local\Temp\CMLWU.pdf
36. - C:\Users\[username]\AppData\Local\Temp\FpVjp.pdf
37. - C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
38. - C:\Users\[username]\AppData\Local\Temp\mGhdt.pdf
39.  
40. DLL RUN METHOD:
41.  
42. - rundll32.exe [filename],ShowDialogA -r
43.  
44. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
45.  
46. - port 443 - facebook.com
47. - port 443 - www.facebook.com
48. - port 443 - instagram.com
49. - port 443 - www.instagram.com
50. - port 443 - www.tumblr.com
51. - port 443 - twitter.com
52.  
53. AT LEAST 2 DIFFERENT DOMAINS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
54.  
55. - 143.110.185[.]84 port 443 - futuduramatios[.]best
56. - 143.110.185[.]84 port 443 - suitecasecourt[.]cyou
57.  
58. 3 EXAMPLES OF SHA256 HASHES FOR ICEDID DLL CREATED BY INSTALLER:
59.  
60. - 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a (initial both runs)
61. - f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b (persistent 1st run)
62. - 1a4f63c7c5b4e3e26cce157c4e0d6ed8c1fef956c4033b96df9159d27169445d (persistent 2nd run)
63.  
64. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
65.  
66. - 68.183.54[.]143 port 443 - afromadness[.]club
67. - 68.183.54[.]143 port 443 - 9seeallcars[.]best
68. - 167.71.224[.]39 port 443 - pareomedeo[.]club
69. - 167.71.224[.]39 port 443 - servepeolor[.]top
70. - 167.71.224[.]39 port 443 - wasserwoman[.]top
71. - 68.183.54[.]143 port 443 - initiativeuntimed[.]cyou
72.  
73. DNS QUERIES FOR ADDITIONAL DOMAINS CAUSED BY ICEDID DURING THE SECOND RUN:
74.  
75. - astroglippers[.]club - No such name
76. - muslerafootball[.]best - No such name
77. - regardlessnotice[.]top - No such name
78.  
79. MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST FROM THE FIRST RUN:
80.  
81. - SHA256 hash: cdce92800d0038fb078462a722230636754ffca7bf31b85ce7b494ed33d2eee3
82. - File size: 228,864 bytes
83. - File location: hxxp://fu-vapor8895[.]com/share/92Lm_79ASH7srFlVPcgJDwPjNam8WuGkr0Ta/lxnt10
84. - File location: C:\Users\[username]\AppData\Local\Temp\Fxrri.pdf
85. - File description: Installer DLL retrieved by Word macro
86.  
87. - SHA256 hash: d4df9780c1d93538eb34c9db64aa87dd5a5ee718b3392dbe7f6719de053ef3ca
88. - File size: 112,511 bytes
89. - File location: C:\Users\[username]\AppData\Local\Temp\00070a5e.png
90. - File type: PNG image data, 482 x 561, 8-bit/color RGB, non-interlaced
91. - File description: PNG file with encoded data used to create initial IcedID DLL
92.  
93. - SHA256 hash: 6610a12184a15e0fe2f3c8d2f730aa7a4497386a10487138cfe1e019ec3f1f2a
94. - File size: 108,032 bytes
95. - File location: C:\Users\[username]\AppData\Local\Accesshover.dat
96. - File description: Initial IcedID DLL created from the above PNG file
97.  
98. - SHA256 hash: cc1030c4c7486f5295444acb205fa9c9947ad41427b6b181d74e7e5fe4e6f8a9
99. - File size: 677,968 bytes
100. - File location: C:\Users\[username]\AppData\Roaming\yaaksaac3\[username]\iyxoac.png
101. - File type: PNG image data, 789 x 431, 8-bit/color RGB, non-interlaced
102. - File description: Another encoded PNG file created after above DLL is run
103.  
104. - SHA256 hash: f25862e2ae2bc1af4a3117c22317abac677b278645135013cdd43e47868d536b
105. - File size: 108,032 bytes
106. - File location: C:\Users\[username]\AppData\Local\{261F864B-8892-4100-2EDE-BDC115A72551}\nivude1.dll
107. - File description: IcedID DLL persistent on the infected Windows host