Analysis
-
max time kernel
103s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 16:25
Static task
static1
Behavioral task
behavioral1
Sample
direct 05.04.2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
direct 05.04.2021.doc
Resource
win10v20210410
General
-
Target
direct 05.04.2021.doc
-
Size
75KB
-
MD5
a6851b431abd770ea66948e60b0b5e0d
-
SHA1
2b7f322a28f19a4d3e26b3ab1738f163a9185575
-
SHA256
80f5168c56293392745ef57fc6168cc588a1904a92b173edb3cf920e0d7e727c
-
SHA512
7180e3537a8dce36efd771afa3f1c10a982ab52644fbbd2647afd8ec1e8226f30fad0f8e7766ba041b8476d3ae4e79d340df59d196239918a4b29bbdabdc991f
Malware Config
Extracted
icedid
3042509645
barcafokliresd.top
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3192 1080 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 24 3192 rundll32.exe 26 3192 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3192 rundll32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3724 WINWORD.EXE 3724 WINWORD.EXE 1080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3192 rundll32.exe 3192 rundll32.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1080 wrote to memory of 3192 1080 WINWORD.EXE rundll32.exe PID 1080 wrote to memory of 3192 1080 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct 05.04.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\programdata\clearIndex.jpg,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
ba91a6f9d2d9fb3667180033d3bab028
SHA1facbabf8f1ebc12cd4edb36499d3ad999426c1f7
SHA256104d61c059ebff161fa8f3f637d04015697e3001928e0520e46359434dff8632
SHA512ff3fa0b01b91ba7431c52924d2f8086d079f1c84ddb5c0cf1e2bc382f05ae59b6c3e58240e3312d737511133137e837b39a77def6e1084df1a94167ef3d79a03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
bd6050aeaad5a08e5a74d427441fa3df
SHA10705bcab22c42cd6e9f2dbb08750015b236a03dd
SHA256f03bd3b2f187a65fc804b65910f4734cad2926ad43bc946d19b4ffe2eb8143ff
SHA512115fb73b8f9f839a86879c7d5c522d32198a835847ffea89f58f82a71d995b1c51efdef663881a9497ec5cf9c475af703a18cfba9b5c5ca9a2f31620d2ff1bd1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F548F2F5-1212-41CD-ACA3-A2B2C16BBEFFMD5
8fcce6ff2276966d3e640c65df613234
SHA11188957685f9f8a417fea8b617b74a59481d6508
SHA25636f5fcdd5af74e0285e31bcf186b3734f85f3950cd05ad618cdae1fc8c14b19d
SHA51281c139f4d3167bee89a01aa244c00e755148849dbdf917a1db1a257107b0d3eb94f80e07d05ad3bbb9f138fa178f73167d3aa3036764931cb0a51828e350bafd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
e127c4f0ccdc4bac568dbba932438d5c
SHA1fd5abe5860155f8b77bfce1f59ac7eede61de76a
SHA256b2f467838f5829c7a34cbf6c43857fd1e51c90933541a17f0c9910f18813632f
SHA5125fe8119077ee9feb0394d4f1e6b0ed64a4cb0e44a44492cbb9271b7b8d74ea32a889dd0ce0459a7e006c8b773355f8ea513c8f115005766f1a7f0e40f23fd5e6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
0db17535801410f978767f4723650cb2
SHA1d8883926a4dbf2ec1532e495cdcedf6e863dc838
SHA256b76ed3c420617589bda8609b8fffadf9eec3187db2807b686cbaaf45bb80e072
SHA5126348f4ef87fd883775a9e5c8b6a0ccea57b1ed8c28ef080d77c7ef6d6a53f93d2e30a1604b6c1b20146e8b39734536928a4070ef9da9f58a990c561460b129fd
-
\??\c:\programdata\clearIndex.jpgMD5
340553110ac8c4c9d4f31a6b3cbf08be
SHA18c926ed9c94f2e63993870c4a293de053e56f9b8
SHA2567a4f32936b4823b48c9589f45b909d08c1218e06d852970ffdc5239a8715ebe4
SHA5121baec3f5d8bbf46d2ed151b2d91696496c7decee3948e0cafde907ca8ea32f3412490df3479b68a7ff1c371210439bd52655c5309274c434f3a41446b57a7776
-
\ProgramData\clearIndex.jpgMD5
340553110ac8c4c9d4f31a6b3cbf08be
SHA18c926ed9c94f2e63993870c4a293de053e56f9b8
SHA2567a4f32936b4823b48c9589f45b909d08c1218e06d852970ffdc5239a8715ebe4
SHA5121baec3f5d8bbf46d2ed151b2d91696496c7decee3948e0cafde907ca8ea32f3412490df3479b68a7ff1c371210439bd52655c5309274c434f3a41446b57a7776
-
memory/3192-182-0x0000000000000000-mapping.dmp
-
memory/3192-185-0x000001D261D60000-0x000001D261DA6000-memory.dmpFilesize
280KB
-
memory/3724-114-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmpFilesize
64KB
-
memory/3724-180-0x000002657DAC0000-0x000002657DAC4000-memory.dmpFilesize
16KB
-
memory/3724-123-0x00007FFA3D900000-0x00007FFA3F7F5000-memory.dmpFilesize
31.0MB
-
memory/3724-122-0x00007FFA40BD0000-0x00007FFA41CBE000-memory.dmpFilesize
16.9MB
-
memory/3724-118-0x00007FFA46120000-0x00007FFA48C43000-memory.dmpFilesize
43.1MB
-
memory/3724-119-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmpFilesize
64KB
-
memory/3724-117-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmpFilesize
64KB
-
memory/3724-116-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmpFilesize
64KB
-
memory/3724-115-0x00007FFA247C0000-0x00007FFA247D0000-memory.dmpFilesize
64KB