2020-10-07 (Wednesday) - TA551 (shathak) Word docs push IcedID

1. 2020-10-07 (WEDNESDAY) - TA551 (SHATHAK) WORD DOCS WITH MACROS FOR ICEDID:
2.  
3. CHAIN OF EVENTS:
4.  
5. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
6.  
7. 20 EXAMPLES OF TA551 WORD DOCS WITH MACROS FOR ICEDID:
8.  
9. - 0beef303ce25104d0339c45c9639a79759e016bc38f4b7d9bde2217e3ef00cfe certificate 010.20.doc
10. - 1806778270543a608fa6e000a27b7facb3ddbbd4991204cc374d3b8c18fb9947 decree-010.07.20.doc
11. - 14595a04048cdb18e66681333efd287f8464a4a4cfc2ba2bc72fa768e7c6e51c deed contract_010.20.doc
12. - 30c0ba71e4cf1230ededb4fa1ee9d5d8165dae62c5e48bedd3d87716358b354d details.010.20.doc.doc
13. - 28fe243038d1b1630ea282eb67201629bed594f32cb2bdb471577d0b1ae6663f direct_010.20.doc
14. - efe0e55ce9cbffb3304ba29b2ccf904506c7a3c237a8b5327e6c38a9adbf9f01 document_010.20.doc
15. - 964f34b2785d759c77b280381ac5119e7f8f77f2385c7015a1fe499716b15a10 file 010.20.doc
16. - 00bcfe86c9940936cf0e09d0a796d42684ce9b9eb3deebdbc73e1b2a84648f00 input,010.20.doc
17. - 471e585c63ddfe300f7cd4cb857beab0e4ca2502bad0856ecdfe1a54c761ca77 inquiry.010.07.2020.doc
18. - b6e264b6533923e55670e0973dee4e1f8c99b51f7638d6875f056c8c0d39b58a instruct 010.20.doc
19. - d1cda1c16fb3e976e4a08e370762b0de16d16b5a7ad2b9e68484090e7ceb0517 instrument indenture-010.20.doc
20. - b5fe08c2c40034ce38db39477c543b7760f286664e32fb2efd19d3b9810d57c7 legal agreement.010.07.2020.doc
21. - 349b23c2a88d1dae6bfbf78068050f101cbe1006c5b323eeecd3cb55b95c2e8b material-010.20.doc
22. - 20c2cf1cedb3df711cfe74121d7af5297c6d02685d8088fb5a38eca3cf1ed858 official paper 010.20.doc
23. - 2ea61842af777d477c077e7b8880d25e0c8f04f6f86dd8e61ea45a3f4165514a ordain,010.07.2020.doc
24. - 97f30b0a42e8e24c9efc0967691e9219cf3fbcdd6906b48a8c2cc0fcb3580825 ordain,010.20.doc
25. - d4ce72135d503599a18c67154f39edaabc09f23c5215c55a657a56a45cc90b58 order_010.07.20.doc
26. - 8ef00b908e4dbf8a32394782cd639019e5f182cf8a9bffca3abd0b123de1a19d prescribe -010.20.doc
27. - def1892d7cb009bbc024ebef077e03fff3915e285eaef582ab9aaf69caec124a report-010.07.2020.doc
28. - c367a4f55aacfbcad5d8066dd4352e2101f983305fb525d008ff80a4fe2938c8 specifics 010.07.2020.doc
29.  
30. AT LEAST 8 DOMAINS HOSTING THE INSTALLER DLL:
31.  
32. - a7d94ba[.]com - 185.144.31[.]168
33. - chu576f[.]com - 45.10.110[.]4
34. - gb6r8qo[.]com - 37.46.131[.]111
35. - jv9b74[.]com - 193.201.126[.]220
36. - mkba3y[.]com - 83.166.243[.]64
37. - p78m58[.]com - 45.128.206[.]114
38. - ss02vx[.]com - 194.40.243[.]176
39. - tqbx93[.]com - 185.62.103[.]82
40.  
41. URLS FOR ICEDID DLL:
42.  
43. - GET /gyxo/kijad.php?l=wymuq1.cab
44. - GET /gyxo/kijad.php?l=wymuq2.cab
45. - GET /gyxo/kijad.php?l=wymuq3.cab
46. - GET /gyxo/kijad.php?l=wymuq4.cab
47. - GET /gyxo/kijad.php?l=wymuq5.cab
48. - GET /gyxo/kijad.php?l=wymuq6.cab
49. - GET /gyxo/kijad.php?l=wymuq7.cab
50. - GET /gyxo/kijad.php?l=wymuq8.cab
51. - GET /gyxo/kijad.php?l=wymuq9.cab
52. - GET /gyxo/kijad.php?l=wymuq10.cab
53. - GET /gyxo/kijad.php?l=wymuq11.cab
54. - GET /gyxo/kijad.php?l=wymuq12.cab
55.  
56. 12 EXAMPLES OF ICEDID INSTALLER DLL FILES:
57.  
58. - 0c14eb444aa68a0e20b405597c21afa4ca23c42a520dcc7d1b5852ebe28aa5c4
59. - 107be51f21173306fa99e6468bdf5b0d49b58036296c5091e7f3b8a1b5250132
60. - 18b4246ff80eaf7c4a30d86794a2ab83bf26662958b0e44931d9a7f58935952a
61. - 1cce529e81c7bcad2feeed7b7368092f9545339b368c26156a248b467e0f9397
62. - 283e5d0fe79022c059764ae982a27191962d0463b430ed278c0b61fac73bba9f
63. - 3869de46f081e1373e68f81564b9bb4684f56844aa7dc59fa5a8f2d8eddeef9a
64. - 3fd4fb0b21f1d754bd0a1457c76d194a5723e21900bfe6aef75c376079391e98
65. - 9ed92ebc8b6cf8b5716f821db89d62312b5d46cc3845c79d4dae99b7033ea8d8
66. - a6c0a6948ceaa9c40dbfd0fd9d9181dbee8586023f3679a51c6f112e490b9fbb
67. - b2485de94c51ff3823b459f8918829182ec1102ab0b043a9d1f9eb6f3404f016
68. - c52a0fd0e57e4770d98bf759019884669f61de0f1d22969f86c6b10ab181c3db
69. - e0b1c175506c8e56eb9c90c7b96d736e4a60617371f2e41ed5a62e7bc217eca6
70.  
71. EXAMPLES OF LOCATION FOR THE INSTALLER DLL FILES:
72.  
73. - C:\ProgramData\hLGNm.pdf
74. - C:\ProgramData\iccPw.pdf
75. - C:\ProgramData\LZUmi.pdf
76. - C:\ProgramData\MoYLB.pdf
77. - C:\ProgramData\nvZDu.pdf
78. - C:\ProgramData\pVBVW.pdf
79. - C:\ProgramData\QtSIU.pdf
80. - C:\ProgramData\txBVS.pdf
81. - C:\ProgramData\wWCTG.pdf
82. - C:\ProgramData\YAeeh.pdf
83. - C:\ProgramData\ZmAqT.pdf
84.  
85. DLL RUN METHOD:
86.  
87. - regsvr32.exe [filename]
88.  
89. AT LEAST 3 DIFFERENT URLS FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLL FILES TODAY:
90.  
91. - 161.35.111[.]71 port 443 - loadpascal[.]asia - GET /background.png
92. - 161.35.111[.]71 port 443 - loadbmw[.]click - GET /background.png
93. - 161.35.111[.]71 port 443 - loadmercedes[.]beer - GET /background.png
94.  
95. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID EXE CREATED BY ICEDID INSTALLER:
96.  
97. - 10f061a6e7886335543a5be5d1bea1b262c48c4ef45b8404cfb6d1b0cd4568aa (initial)
98. - f13f7953e8d1eab4f78b54e8d833108b7b847339f176f1b4d754e9fd4e8282b5 (persistent)
99.  
100. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID EXE FILES:
101.  
102. - 178.62.243[.]45 port 443 - sepneretyiu[.]cyou
103. - 178.62.243[.]45 port 443 - donmekrym[.]top
104. - 178.62.243[.]45 port 443 - holubicoklire[.]top
105. - 178.62.243[.]45 port 443 - grablihuiz[.]cyou
106. - 178.62.243[.]45 port 443 - obnulenush[.]cyou
107.  
108. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLLS:
109.  
110. - port 443 - support.apple.com
111. - port 443 - help.twitter.com
112. - port 443 - support.microsoft.com
113. - port 443 - support.oracle.com
114. - port 443 - www.oracle.com
115. - port 443 - www.intel.com