2020-10-16 - TA551 (SHATHAK) WORD DOCS PUSH ICEDID

ASSOCIATED FILES:

NOTES:

 

IMAGES


Shown above:  Flow chart for today's infection chain.

 


Shown above:  Screenshot from one of the Word documents.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Location of installer DLLs for today (different names, but the same .txt file extension and same directory).

 


Shown above:  PNG image with encoded data saved with .tmp file extension and used to create IcedID malware DLL.

 


Shown above:  Another PNG image with encoded data created after IcedID DLL from the \AppData\Local\Temp directory was run.

 


Shown above:  IcedID DLL made persistent on an infected Windows host.

 

Click here to return to the main page.