Analysis
-
max time kernel
110s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 13:47
Static task
static1
Behavioral task
behavioral1
Sample
particulars_05.06.2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
particulars_05.06.2021.doc
Resource
win10v20210408
General
-
Target
particulars_05.06.2021.doc
-
Size
75KB
-
MD5
f07a8a1226e19b16ca014d0ea924e0a2
-
SHA1
3337d7ce751cfa6d30fffc46ffcc00c462af8805
-
SHA256
0f5508f1852fb24e927410e7abfc94ba3b029944a4302e06b0f5317f4d9cc7f2
-
SHA512
ed5d2d32101c060c48141e0cc061eaee26a8e9857b4da9dbb7e0ca7d91baaa59917cf6336d5132cb26b6e71e2a0a0d3967d7c125a8302ca4ee29194c02512fd7
Malware Config
Extracted
icedid
2941843931
barcafokliresd.top
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2120 2184 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 29 2120 rundll32.exe 31 2120 rundll32.exe 41 2120 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2120 rundll32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 708 WINWORD.EXE 708 WINWORD.EXE 2184 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2120 rundll32.exe 2120 rundll32.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 2184 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE 708 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2184 wrote to memory of 2120 2184 WINWORD.EXE rundll32.exe PID 2184 wrote to memory of 2120 2184 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\particulars_05.06.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:708
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\programdata\copySwap.jpg,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
c818d1a2303069fccb29a84353a0e4b9
SHA129cf56b6ca40bc9333728ea3c92b4e2dd8f63087
SHA256ba8bddb399ff54df8d1f560fe3e695d0b0ed072617cb5b485647730e2285e084
SHA512162d75f4a6f07cacfbd457a7b2e01c24d9fe91bf7a77c11f9ec9326a62d6ddcb4c22e848d863311456d065898a7e007f8ed22f4c98f26255c77ee854a84f3252
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
b91fd605823ba2f8e4579828907af408
SHA12dca2486528d3cfa18488c5d1512b5f13a2e46be
SHA256ac0b129beba2a8a7c2c1211ef7de909a58640b6f7edb51faf392d04af2aae06c
SHA51262bcb8bc696abadeeaf287291528976a220c56fdad44affca9c46850fc652273e3cba55a707d07b7778182292ce614b77b6670d32e29d2640118806232e9b4b6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
762be0afd2ece78d0d9437baacd2a674
SHA12117231cfcecc79ae71b4bc3d6ffc5cb24469dee
SHA256f972c64a8526dec4c8b673a13475ec10163f4a3119e00d0c7e3f1f99083fa14d
SHA512e75fc86c48d9f2a8e038d82d32b96052a5a732041490960017bf8f0a8adf038a8ef7a7e284d677996ff0463bf92486fe9d8bdf2a0aa8fe773c0da2610b9e9443
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
762be0afd2ece78d0d9437baacd2a674
SHA12117231cfcecc79ae71b4bc3d6ffc5cb24469dee
SHA256f972c64a8526dec4c8b673a13475ec10163f4a3119e00d0c7e3f1f99083fa14d
SHA512e75fc86c48d9f2a8e038d82d32b96052a5a732041490960017bf8f0a8adf038a8ef7a7e284d677996ff0463bf92486fe9d8bdf2a0aa8fe773c0da2610b9e9443
-
\??\c:\programdata\copySwap.jpgMD5
7ed4a53d6565cb84376b26b62debe40f
SHA114c780b519e9c27130c04a21fd55384b3bc6f525
SHA2560e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d
SHA512594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef
-
\ProgramData\copySwap.jpgMD5
7ed4a53d6565cb84376b26b62debe40f
SHA114c780b519e9c27130c04a21fd55384b3bc6f525
SHA2560e2557e57082629930be43c4f4a8ca4610b167ee525dfd4cd7fd11fc15ea1e3d
SHA512594b834c13190be493a902754366a0bddbd3bb0a898fab7824c3bfd3325b8b8e6840d8dc0ef04a962b990697cb98a55735b109be65ee91c2e503ce1b043119ef
-
memory/708-114-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/708-179-0x000001D097020000-0x000001D097024000-memory.dmpFilesize
16KB
-
memory/708-123-0x00007FFF948B0000-0x00007FFF967A5000-memory.dmpFilesize
31.0MB
-
memory/708-122-0x000001D087B40000-0x000001D088C2E000-memory.dmpFilesize
16.9MB
-
memory/708-118-0x00007FFF9BA10000-0x00007FFF9E533000-memory.dmpFilesize
43.1MB
-
memory/708-119-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/708-117-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/708-116-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/708-115-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmpFilesize
64KB
-
memory/2120-184-0x000001AB75C80000-0x000001AB75CCD000-memory.dmpFilesize
308KB
-
memory/2120-181-0x0000000000000000-mapping.dmp