Analysis
-
max time kernel
101s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-05-2021 13:10
Static task
static1
Behavioral task
behavioral1
Sample
report,05.12.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
report,05.12.21.doc
Resource
win10v20210410
General
-
Target
report,05.12.21.doc
-
Size
46KB
-
MD5
5e6f7611a06e85b75cfee330aa78f24d
-
SHA1
a5185fda51374567ae666cea5ef582befd789572
-
SHA256
1deea8182d2de797c52dd703c864f3b6f44a3a8cb0e8af389062884c928c5f29
-
SHA512
fee01b8a7e674c9d1369f5803cd05985961a07277e5ada40692836ad567ce714788dca1dfca598c348c6d73688e18e488d6b5c6b4fb63cb21bd1fdcb8408f26d
Malware Config
Extracted
icedid
2857955836
tyretclaster.club
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3672 2088 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 25 3672 rundll32.exe 28 3672 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3672 rundll32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2204 WINWORD.EXE 2204 WINWORD.EXE 2088 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3672 rundll32.exe 3672 rundll32.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2088 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE 2204 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 2088 wrote to memory of 3672 2088 WINWORD.EXE rundll32.exe PID 2088 wrote to memory of 3672 2088 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\report,05.12.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2204
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\programdata\structPasteTable.jpg,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
a0f3b3d0ffb2e8c7d6a227f209a04dd7
SHA11f27536c650d4cd5675a55e0503acc590879dbc4
SHA256710e185e0af1c4e63eacd521f7a32bba91f13a031fa2d1ee4a3adf77a8300a2a
SHA512fde0f0a08e7eeb8058c845614cd22f89ea922dc9968dd7590c4a92e27260c62e542dc7a2d8373025ff2ce9a589b2c8d287fb6f67089dd0e72aa73f759f334209
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
3672ab0a3488fefe5c4a0c1cb57fa1d6
SHA1d0bee08d5ba9d8eb1d5f1aeb651f82240a5aca43
SHA256b155d1e8e3869bb4de4827397ef833315e60f45d6500e6b711ddce163b162505
SHA51246d78482ecd3fb07982ca63a30661c2bebc5b44a2a6d6766dfa4fba5847c3d357459bf03588c3825804752786e677897fc01701258987b4b02f7510f5bca47ed
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
845c54aa54bd3ea864d2505c63186d41
SHA158bd289a85e08a61680060d8c90a9188075efc42
SHA2563bb154c70660808e9424f31bbab1a154e8b93c72866f7ad6a40afe3f622869f7
SHA5128b9a57e74390e245f637d2f1254b7c4fd942898dcd3f9ddd16789508450665a4248672cb1ee6b44db5306026c01d2803871f6075ca145cc667140cffc9940e12
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5
845c54aa54bd3ea864d2505c63186d41
SHA158bd289a85e08a61680060d8c90a9188075efc42
SHA2563bb154c70660808e9424f31bbab1a154e8b93c72866f7ad6a40afe3f622869f7
SHA5128b9a57e74390e245f637d2f1254b7c4fd942898dcd3f9ddd16789508450665a4248672cb1ee6b44db5306026c01d2803871f6075ca145cc667140cffc9940e12
-
\??\c:\programdata\structPasteTable.jpgMD5
1b4a806757ea9fef11c4a3ba41df877d
SHA126a700162f90ede23507822668a309650dac52b4
SHA256ad5e1f93e774b7d87fe7b81ed925ee3f12b4ad54d605f756f5be58199d35648b
SHA512ab969363022e169af8dc3c0b29eaafec516f6d133e846a9f6bf7699bcdfb60a7f88f6c672826ebe1f90ca2070a1ef40ad8ef055fb296be7c28894e560f502cb6
-
\ProgramData\structPasteTable.jpgMD5
1b4a806757ea9fef11c4a3ba41df877d
SHA126a700162f90ede23507822668a309650dac52b4
SHA256ad5e1f93e774b7d87fe7b81ed925ee3f12b4ad54d605f756f5be58199d35648b
SHA512ab969363022e169af8dc3c0b29eaafec516f6d133e846a9f6bf7699bcdfb60a7f88f6c672826ebe1f90ca2070a1ef40ad8ef055fb296be7c28894e560f502cb6
-
memory/2204-114-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2204-179-0x000001DAAE720000-0x000001DAAE724000-memory.dmpFilesize
16KB
-
memory/2204-123-0x00007FF81A3B0000-0x00007FF81C2A5000-memory.dmpFilesize
31.0MB
-
memory/2204-122-0x00007FF81C2B0000-0x00007FF81D39E000-memory.dmpFilesize
16.9MB
-
memory/2204-118-0x00007FF821CE0000-0x00007FF824803000-memory.dmpFilesize
43.1MB
-
memory/2204-119-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2204-117-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2204-116-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/2204-115-0x00007FF800890000-0x00007FF8008A0000-memory.dmpFilesize
64KB
-
memory/3672-181-0x0000000000000000-mapping.dmp
-
memory/3672-185-0x000002E0042C0000-0x000002E00431B000-memory.dmpFilesize
364KB