Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 16:57
Static task
static1
Behavioral task
behavioral1
Sample
bid-05.07.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
bid-05.07.2021.doc
Resource
win10v20210410
General
-
Target
bid-05.07.2021.doc
-
Size
76KB
-
MD5
5134444ad549123ca5bf7b8b6013d468
-
SHA1
744395937008debd011ad1a5d39c5e847aeffccc
-
SHA256
111d8f3f6ff4310d03e05310dbb82ff6ffca5ffc5dd58e7590e099d367983b56
-
SHA512
c3138dc661307ed2d8751b34a4cb59b70ba86c971b83c2d37ef870c9c2342e683c5a364ef41ff5e30e97fd8746f90efb9584b7ceac3cf7f0deb1c77f86fe84ce
Malware Config
Extracted
icedid
1420117246
zasewartefiko.top
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2424 1804 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 22 2424 rundll32.exe 24 2424 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2424 rundll32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2208 WINWORD.EXE 2208 WINWORD.EXE 1804 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 2424 rundll32.exe 2424 rundll32.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 1804 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE 2208 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1804 wrote to memory of 2424 1804 WINWORD.EXE rundll32.exe PID 1804 wrote to memory of 2424 1804 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid-05.07.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\programdata\ExAStruct.jpg,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
cb45d81e33411e27cdbf2fbc0e95a265
SHA1686008b7756c5d36665dca8947a5a317228838fa
SHA256f44a5692b42d95493c52e529d0ea1a4904a5ae41b4f46860b38c0b843f499875
SHA512cecd8a121a1e84c9608d53e7b9bc644ddc972d8cbd4f56ea28465e0351ccc0e70101bd654d698dfcc766030e9d80c612e6af4fd5e7dc482c84da9ff42dd16da1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
400de724dd6a6bd4041f7e38672d93a2
SHA1d684895b18989ab6ef6a799de160d6c75a5ab6c1
SHA256a26209646d8cb31e510b32920094e3c9a7fefa14780ade379de86baad744bee6
SHA512756b709030a592ab176dc8b84121d833cea7d7d72c29a460af5f226d1960dcc42df8a2975a45045a79fe7d4f7b825127bc561b9b8f47e1ca1cd5d5d34ec1e690
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FAFE06B2-EA45-4CC6-BDD3-D7E7F59A65D0MD5
b0545badff1bc4cff15658c70a17b5d1
SHA18fae0c8180bdb1065438b03d5dedff956e8eb617
SHA2564104caeb9925673df1ff355f66e474418195b1b5ef408ac4e8dd4a13e9a23097
SHA5124b5339649096e5079531a3820fc3862eb73a9ac924b53a5647f501dee7d24a0381b8b0f7aa989203a1cb3f6cb8e48400a06f8149a888fdabd589ba33a6d89caf
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
584bfbe6751d9082b23928944e91874d
SHA1df716ef96c76ce1c4bedd0b3a34bf5716ebba02c
SHA256e3bd4d597d18bd34de5c18817aec5dc33200e6dbf6f4f984dbd6b2541d486d52
SHA51259d8ec62a8d36fc96f1dbfc9c38375a306ac163bc88ad5b1babb95561332c2307f7e342d59eef9ecad3d37cfa9de9ff37d0fcd6e53ea6d5b7386e6c95e97af14
-
\??\c:\programdata\ExAStruct.jpgMD5
0453f705e869d24fda797d0de17ac2d7
SHA197ea49da909e39aea9487de074c814a13370a910
SHA256ade6ff862c038cf025c29535d255ebceed80cb9b74e49165f9201672ddafb667
SHA512a550b79d429d6efdf93e9513b73d006b6d16018fb1b2868d1ac675463354f82ecdc41e11c810f8a412ffc60e3efc0a0782859a05e2ef83d1dd9d73668378c120
-
\ProgramData\ExAStruct.jpgMD5
0453f705e869d24fda797d0de17ac2d7
SHA197ea49da909e39aea9487de074c814a13370a910
SHA256ade6ff862c038cf025c29535d255ebceed80cb9b74e49165f9201672ddafb667
SHA512a550b79d429d6efdf93e9513b73d006b6d16018fb1b2868d1ac675463354f82ecdc41e11c810f8a412ffc60e3efc0a0782859a05e2ef83d1dd9d73668378c120
-
memory/2208-119-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2208-123-0x00007FF81A3B0000-0x00007FF81C2A5000-memory.dmpFilesize
31.0MB
-
memory/2208-179-0x000001B813440000-0x000001B813444000-memory.dmpFilesize
16KB
-
memory/2208-122-0x00007FF81C2B0000-0x00007FF81D39E000-memory.dmpFilesize
16.9MB
-
memory/2208-118-0x00007FF822710000-0x00007FF825233000-memory.dmpFilesize
43.1MB
-
memory/2208-114-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2208-117-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2208-116-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2208-115-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2424-182-0x0000000000000000-mapping.dmp
-
memory/2424-185-0x000002E004100000-0x000002E00415B000-memory.dmpFilesize
364KB