“% \ roaming \ % username % \ or ( in some variants ) also copies itself to c : \ users \ % username % \ appdata \ roaming \ [ guid ] \. it then creates a task in the task scheduler to run the malware upon user logon or every hour, as shown in figure 11. this ensures icedid remain…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
93%
“##emory api, writes the shellcode to memory using zwwritevirtualmemory api, changes the memory protections using ntprotectvirtualmemory, creates an apc thread routed to the shellcode with the process still in suspended mode, the technique ’ s last step is to call ntresumethread a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.001Spearphishing Attachment
78%
“how the icedid banking trojan exploits pandemic the icedid malware, also known as bokbot, is a banking trojan first discovered in 2017 that steals credentials by tricking browser functions into redirecting traffic. it is a stealthy, fileless malware with anti - sandbox capabiliti…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.012Process Hollowing
68%
“##code to the process ’ s memory, setting an asynchronous procedure call ( apc ) thread to transfer control to the shellcode, and lastly calling ntresumethread to start the injection. the injected process is usually msiexec. exe or svchost. exe, as shown in figure 1. both are dig…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1497.001System Checks
67%
“first calculating the timing execution of the cpuid instruction by using the read time - stamp counter ( rdtsc ) to count the number of cpu cycles since reset. it uses switchtothread in this function to measure with rdtsc without the context switch fluctuations, as shown in figur…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
58%
“with a poisoned macro that inserts an installer to install the malware, which is designed to steal users ’ credentials, payment card data and other sensitive information from major financial institutions and retailers. stage 2 : icedid is installed and injected the malicious micr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
46%
“how the icedid banking trojan exploits pandemic the icedid malware, also known as bokbot, is a banking trojan first discovered in 2017 that steals credentials by tricking browser functions into redirecting traffic. it is a stealthy, fileless malware with anti - sandbox capabiliti…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1497.003Time Based Checks
42%
“first calculating the timing execution of the cpuid instruction by using the read time - stamp counter ( rdtsc ) to count the number of cpu cycles since reset. it uses switchtothread in this function to measure with rdtsc without the context switch fluctuations, as shown in figur…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
TA551 (AKA Shathak) deploys the IcedID banking trojan using COVID-19 in Microsoft Word documents containing a malicious macro that drops an installer.