2020-10-14 (Wednesday) - TA551 (Shathak) Word docs push IcedID

1. 2020-10-14 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
2.  
3. CHAIN OF EVENTS:
4.  
5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
6.  
7. NOTE:
8.  
9. - As part of the infection process, Word macros from today's wave created a copy of MSHTA.EXE saved as C:\Users\Public\in.com to run and HTML file with Javascript saved as C:\Users\Public\in.html.
10.  
11. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
12.  
13. - 9b153e5e5d2b637de5d6370dd3499207e7533e68af8bd77e5db8f9fd5b603e58 adjure 010.14.2020.doc
14. - 1117b86e0ce1848b8955b7179d5e86d9aabb58d790bdc459545df5a1afba4143 adjure,010.20.doc
15. - 7cd0eb70e309d108d305320882f261ab9d6a5af5937bffadade79191d139002b certificate 010.14.2020.doc
16. - 3fd7e776861d6e22673ef53f90ffc8d6f3cd7963f655a0fdcd94b12a8ef00469 command 010.20.doc
17. - 3db1065c09e317c8a2114d87695bceb61157e3ddd7d693d7143daae60e81226f command-010.14.20.doc
18. - 5919ed5ef45599600051473cc342c11d2a9bdfdfeb2504ad89481fa630775b3d commerce -010.20.doc
19. - 6a0f95283a40f325c0c2489f8cb6b1781d2ee553c1d44ed86795d61ea967fb47 commerce _010.20.doc
20. - 213347251fc9f4b6812547ecfef2b3783789067ccffee1521eb88c36003a742e docs 010.20.doc
21. - 7ace9d0f9f906f3b9151077698b386065e4e093418c7ba136c2aa4b91790f2b9 facts 010.20.doc
22. - dcfbb405b77d475ece5c8ff18820293dc8de93eab3e67c481a3a09a6c28e7591 facts,010.20.doc
23. - 2f97c22262ad2ea88a948b08c40662fe86232234b376f29582918044f0050aa7 figures.010.14.2020.doc
24. - c8fcc2de3b0ed395e1455978c61cfe5640fda525569640ab73b0bd97d848bfaf figures_010.14.2020.doc
25. - a04b9bea432dfe50a7526c1cd2392f369dad2801cd6a85d1a757946bccc5f381 input-010.20.doc
26. - 6dc29a394cd2c86368edfa7d7721c5c56cd9deea4bdca045cf0eb76549a1152d instrument indenture.010.14.2020.doc
27. - 555d2f6c1ecbb661b9aab93c79b5f895be592942ecb0a3a20da386c11f23143d legal agreement.010.20.doc
28. - f48c78d02de1ec751ab4eecd01452b9d370b97514ca24384575de3b1d555b168 official paper_010.20.doc
29. - 9b6aeea1915244ff07f391b7c855d96678f0f7ea43a646c84fdea47486dc7fff ordain.010.14.2020.doc
30. - eca134d5ba493b631f1961738e4af190b9ffcb430fde25940e77c2ce91dc6815 question-010.14.2020.doc
31. - bd8138c3d6c0934008e29896c0975f65fdca3d5fae105b9851725a37933176d9 require 010.20.doc
32. - 304c7f8c6863bf44fb5c75f3d909b81937bc29169db3e2890d3535ea8cddd840 statistics_010.14.2020.doc
33.  
34. AT LEAST 8 DOMAINS HOSTING THE INSTALLER DLL:
35.  
36. - c7cyzl[.]com - 149.154.64[.]179
37. - dsv3tk[.]com - 45.8.124[.]36
38. - foud7v4[.]com - 45.12.4[.]207
39. - i5hibsc[.]com - 185.98.87[.]52
40. - tynupd[.]com - 83.166.241[.]191
41. - vx1sz8[.]com - 178.250.156[.]190
42. - wqmxf8k[.]com - 45.8.124[.]36
43. - yg2zdng[.]com - 45.150.64[.]100
44.  
45. URLS FOR ICEDID DLL:
46.  
47. - GET /docat/hyra.php?l=dybe1.cab
48. - GET /docat/hyra.php?l=dybe2.cab
49. - GET /docat/hyra.php?l=dybe3.cab
50. - GET /docat/hyra.php?l=dybe4.cab
51. - GET /docat/hyra.php?l=dybe5.cab
52. - GET /docat/hyra.php?l=dybe6.cab
53. - GET /docat/hyra.php?l=dybe7.cab
54. - GET /docat/hyra.php?l=dybe8.cab
55. - GET /docat/hyra.php?l=dybe9.cab
56. - GET /docat/hyra.php?l=dybe10.cab
57. - GET /docat/hyra.php?l=dybe11.cab
58. - GET /docat/hyra.php?l=dybe12.cab
59. - GET /docat/hyra.php?l=dybe13.cab
60. - GET /docat/hyra.php?l=dybe14.cab
61. - GET /docat/hyra.php?l=dybe15.cab
62. - GET /docat/hyra.php?l=dybe16.cab
63. - GET /docat/hyra.php?l=dybe17.cab
64. - GET /docat/hyra.php?l=dybe18.cab
65.  
66. 8 EXAMPLES OF ICEDID INSTALLER DLLS:
67.  
68. - 835311c50b675c6303b6ec069e6dd090ea490e6ed4a6a6621e856a4bf6f8dcc6
69. - 99933acb9924e02af90c47a256c1aeef47b4b93ad787c0611a1722232ff96fa5
70. - ab037590458a18587639666fe8a6b68e64b2bcae099df9c3b631e3ed4be1ce20
71. - ee9d161ad1be9aeccee4c296424fe65c6cbe29b0cc3b3e3ac1b917a4601e7dd4
72. - bbadde28126494cb587eae843c7febcdbd0b1bd67bba5213ca0d4e6a1d58e0d6
73. - bd0bb23a35eaeb24dd86a89a614ac17f330a164fcb0182c4da0b191b7be3f52d
74. - eefa08d95fe3273638d5597cc1c51781412eaf87fa3e8d2877a56c8f22c7c973
75. - f40669f099d60042e67e676b2a24b17dc33f9aa00222c0dd71a4f8cde63d9732
76.  
77. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
78.  
79. - C:\Users\[username]\AppData\Local\Temp\temp.tmp
80.  
81. DLL RUN METHOD:
82.  
83. - regsvr32.exe [filename]
84.  
85. HTTPS traffic to legitimate domains caused by the installer DLL files:
86.  
87. - port 443 - www.intel.com
88. - port 443 - support.oracle.com
89. - port 443 - www.oracle.com
90. - port 443 - support.apple.com
91. - port 443 - support.microsoft.com
92. - port 443 - help.twitter.com
93.  
94. At least 2 different URLs for HTTPS traffic generated by the installer DLL files:
95.  
96. - 134.209.25[.]122 port 443 - huntysmally[.]top - GET /background.png
97. - 134.209.25[.]122 port 443 - smalleryurta[.]club - GET /background.png
98.  
99. 2 examples of SHA256 hashes of IcedID EXEs created by installer DLLs:
100.  
101. - 78cba4c94ad3bbf06a43904c0281b95178aa56bcc56c14a6af48a7a151e1d360 (initial)
102. - af459cb93ef9b02f0a1bc65a32c13ba9022323874be4fb5f979f1235e9146ee6 (presistent)
103.  
104. HTTPS traffic to malicious domains caused by the above IcedID EXE files (same as samples from yesterday):
105.  
106. - 143.110.176[.]28 - port 443 - minishtab[.]cyou
107. - 143.110.176[.]28 - port 443 - novemberdejudge[.]cyou
108. - 143.110.176[.]28 - port 443 - xoxofuck[.]cyou
109. - 143.110.176[.]28 - port 443 - suddekaster[.]best
110. - 143.110.176[.]28 - port 443 - sryvplanrespublican[.]cyou