Analysis
-
max time kernel
124s -
max time network
131s -
platform
windows7_x64 -
resource
win7 -
submitted
20-10-2020 17:15
Static task
static1
Behavioral task
behavioral1
Sample
prescribe -010.20.2020.doc
Resource
win7
Behavioral task
behavioral2
Sample
prescribe -010.20.2020.doc
Resource
win10
General
-
Target
prescribe -010.20.2020.doc
-
Size
102KB
-
MD5
21d971c4dae25216e0caf51431072a7a
-
SHA1
e46920935500cdfc1d64597806a0cd9485a8435a
-
SHA256
f5c3bc03dc3e7149e72828e94fbf85d530da390af10bbd73a76ca1e8c9af3c9c
-
SHA512
367645cf23115f631b97585c6583fa185b39d3c6a773ce2a68cc5599a2d8db31c09e5b393161f38573c1d01e6e84203750aa406b536536fed81b9cd98861cb38
Malware Config
Extracted
icedid
1949629567
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1912 616 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1896 regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 616 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 1896 regsvr32.exe 1896 regsvr32.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE 616 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 616 wrote to memory of 1912 616 WINWORD.EXE regsvr32.exe PID 616 wrote to memory of 1912 616 WINWORD.EXE regsvr32.exe PID 616 wrote to memory of 1912 616 WINWORD.EXE regsvr32.exe PID 616 wrote to memory of 1912 616 WINWORD.EXE regsvr32.exe PID 616 wrote to memory of 1912 616 WINWORD.EXE regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe PID 1912 wrote to memory of 1896 1912 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\prescribe -010.20.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 c:\users\public\AyXhs.txt2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\users\public\AyXhs.txt3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\public\AyXhs.txtMD5
1b0ca6184defbc15627a0233f402f57c
SHA1d33d98464d9a1d7f3051d34c2c455890a08e23e8
SHA256beff786906f6aed7f4ed19ff0eb000a6522583bf8c9672be6a29bcb3e67ad826
SHA5124cb26b92dc5024a296657cd54965e160e5b7d0dcba8b88b94872be01ae87d612997030069273aad9c91633057544a298e3d08b71c26b88da1e979edadb6c4233
-
\Users\Public\AyXhs.txtMD5
1b0ca6184defbc15627a0233f402f57c
SHA1d33d98464d9a1d7f3051d34c2c455890a08e23e8
SHA256beff786906f6aed7f4ed19ff0eb000a6522583bf8c9672be6a29bcb3e67ad826
SHA5124cb26b92dc5024a296657cd54965e160e5b7d0dcba8b88b94872be01ae87d612997030069273aad9c91633057544a298e3d08b71c26b88da1e979edadb6c4233
-
memory/1896-5-0x0000000000000000-mapping.dmp
-
memory/1912-3-0x0000000000000000-mapping.dmp