Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
20-10-2020 17:15
Static task
static1
Behavioral task
behavioral1
Sample
prescribe -010.20.2020.doc
Resource
win7
Behavioral task
behavioral2
Sample
prescribe -010.20.2020.doc
Resource
win10
General
-
Target
prescribe -010.20.2020.doc
-
Size
102KB
-
MD5
21d971c4dae25216e0caf51431072a7a
-
SHA1
e46920935500cdfc1d64597806a0cd9485a8435a
-
SHA256
f5c3bc03dc3e7149e72828e94fbf85d530da390af10bbd73a76ca1e8c9af3c9c
-
SHA512
367645cf23115f631b97585c6583fa185b39d3c6a773ce2a68cc5599a2d8db31c09e5b393161f38573c1d01e6e84203750aa406b536536fed81b9cd98861cb38
Malware Config
Extracted
icedid
1949629567
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1928 3932 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2068 regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3932 WINWORD.EXE 3932 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2068 regsvr32.exe 2068 regsvr32.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEpid process 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE 3932 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEregsvr32.exedescription pid process target process PID 3932 wrote to memory of 1928 3932 WINWORD.EXE regsvr32.exe PID 3932 wrote to memory of 1928 3932 WINWORD.EXE regsvr32.exe PID 1928 wrote to memory of 2068 1928 regsvr32.exe regsvr32.exe PID 1928 wrote to memory of 2068 1928 regsvr32.exe regsvr32.exe PID 1928 wrote to memory of 2068 1928 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\prescribe -010.20.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\users\public\AyXhs.txt2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\users\public\AyXhs.txt3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\users\public\AyXhs.txtMD5
1b0ca6184defbc15627a0233f402f57c
SHA1d33d98464d9a1d7f3051d34c2c455890a08e23e8
SHA256beff786906f6aed7f4ed19ff0eb000a6522583bf8c9672be6a29bcb3e67ad826
SHA5124cb26b92dc5024a296657cd54965e160e5b7d0dcba8b88b94872be01ae87d612997030069273aad9c91633057544a298e3d08b71c26b88da1e979edadb6c4233
-
\Users\Public\AyXhs.txtMD5
1b0ca6184defbc15627a0233f402f57c
SHA1d33d98464d9a1d7f3051d34c2c455890a08e23e8
SHA256beff786906f6aed7f4ed19ff0eb000a6522583bf8c9672be6a29bcb3e67ad826
SHA5124cb26b92dc5024a296657cd54965e160e5b7d0dcba8b88b94872be01ae87d612997030069273aad9c91633057544a298e3d08b71c26b88da1e979edadb6c4233
-
memory/1928-4-0x0000000000000000-mapping.dmp
-
memory/2068-6-0x0000000000000000-mapping.dmp
-
memory/3932-0-0x00007FF928580000-0x00007FF928C46000-memory.dmpFilesize
6.8MB
-
memory/3932-1-0x0000025583FFF000-0x0000025584027000-memory.dmpFilesize
160KB
-
memory/3932-2-0x0000025583FFF000-0x0000025584027000-memory.dmpFilesize
160KB
-
memory/3932-3-0x0000025583FFF000-0x0000025584027000-memory.dmpFilesize
160KB