2020-10-16 - TA551 (SHATHAK) WORD DOCS PUSH ICEDID
ASSOCIATED FILES:
- 2020-10-16-TA551-IOCs-for-IcedID.txt.zip 3.6 kB (3,648 bytes)
- 2020-10-16-TA551-Word-docs-20-examples.zip 2.1 MB (2,088,183 bytes)
- 2020-10-16-TA551-Word-doc-pushes-IcedID.pcap.zip 2.4 MB (2,384,796 bytes)
- 2020-10-16-TA551-installer-DLL-for-IcedID-15-examples.zip 1.5 MB (1,515,566 bytes)
- 2020-10-16-malware-and-artifacts-from-an-infection.zip 1.0 MB (1,007,167 bytes)
NOTES:
- All zip archives on this site are password-protected with the standard password. If you don't know it, see the "about" page of this website.
IMAGES
Shown above: Flow chart for today's infection chain.
Shown above: Screenshot from one of the Word documents.
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Location of installer DLLs for today (different names, but the same .txt file extension and same directory).
Shown above: PNG image with encoded data saved with .tmp file extension and used to create IcedID malware DLL.
Shown above: Another PNG image with encoded data created after IcedID DLL from the \AppData\Local\Temp directory was run.
Shown above: IcedID DLL made persistent on an infected Windows host.
Click here to return to the main page.