Analysis
-
max time kernel
97s -
max time network
95s -
platform
windows7_x64 -
resource
win7 -
submitted
20-10-2020 17:29
Static task
static1
Behavioral task
behavioral1
Sample
dictate.010.20.2020.doc
Resource
win7
Behavioral task
behavioral2
Sample
dictate.010.20.2020.doc
Resource
win10v200722
General
-
Target
dictate.010.20.2020.doc
-
Size
144KB
-
MD5
8b6e51316d0f4438405703d6fc80572d
-
SHA1
c108cceafff48747c2bccb263e67c4210e03e56b
-
SHA256
0214ea69e74d09448990947bdef6b00f106cf4ff823be33b347b41861bbfed3d
-
SHA512
b8db1ea3914fae31c04177486cd895f8d24e5e27f0f8f8f252db4ec42ea4bedaba689965550b41aa90bf512d066183cecad2b46df8f1ce308b59659ae62b3cca
Malware Config
Extracted
icedid
1949629567
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1564 1492 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1628 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1492 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1628 regsvr32.exe 1628 regsvr32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE 1492 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 1492 wrote to memory of 1564 1492 WINWORD.EXE regsvr32.exe PID 1492 wrote to memory of 1564 1492 WINWORD.EXE regsvr32.exe PID 1492 wrote to memory of 1564 1492 WINWORD.EXE regsvr32.exe PID 1492 wrote to memory of 1564 1492 WINWORD.EXE regsvr32.exe PID 1492 wrote to memory of 1564 1492 WINWORD.EXE regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe PID 1564 wrote to memory of 1628 1564 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dictate.010.20.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 c:\users\public\wskMa.txt2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\users\public\wskMa.txt3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\public\wskMa.txtMD5
076073f95e2eaa0b69a13ecd4be6df8b
SHA1d29481b6043ebca1f23fa9f6e1dec6003774847d
SHA256c47b9b248da76c1bb5c99ed8e328aecb89229f286e145488ef93d8ea5966a995
SHA512468f9a039192d637437bd809c24e1cdf62616ff4795246313decb91e177552ae05e4beeb695e518c0926b268f3b8e96caf618a78a514ac4394db24e56bbf7ebb
-
\Users\Public\wskMa.txtMD5
076073f95e2eaa0b69a13ecd4be6df8b
SHA1d29481b6043ebca1f23fa9f6e1dec6003774847d
SHA256c47b9b248da76c1bb5c99ed8e328aecb89229f286e145488ef93d8ea5966a995
SHA512468f9a039192d637437bd809c24e1cdf62616ff4795246313decb91e177552ae05e4beeb695e518c0926b268f3b8e96caf618a78a514ac4394db24e56bbf7ebb
-
memory/1564-3-0x0000000000000000-mapping.dmp
-
memory/1628-5-0x0000000000000000-mapping.dmp