Analysis
-
max time kernel
584s -
max time network
535s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
29-03-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
document-05.docm
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
document-05.docm
Resource
win10-20220223-en
General
-
Target
document-05.docm
-
Size
524KB
-
MD5
fa54bc46029ffb9c32b1ef2d70f86296
-
SHA1
466635469cb7ab2d4d0359e35110906e726204a8
-
SHA256
a26e330a51c92db77f11f8103178544ce0d93d96e4da7c698d898df4a2044ccf
-
SHA512
b664a04d7bc6608191652041a275dc44002201046fcecb37b1e53d81df147dd6c7d9939a24e290a505f49b173d9c1df29e19334dbb3672f182f90381b094ecb8
Malware Config
Extracted
icedid
1798566902
rivertimad.com
Signatures
-
IcedID First Stage Loader 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3712-279-0x0000000140000000-0x000000014000B000-memory.dmp IcedidFirstLoader -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
y177D.tmp.exey75DC.tmp.exepid process 3712 y177D.tmp.exe 1568 y75DC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1288 3712 WerFault.exe y177D.tmp.exe 3844 1568 WerFault.exe y75DC.tmp.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3908 WINWORD.EXE 3908 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3732 powershell.exe 3732 powershell.exe 3732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3732 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3908 WINWORD.EXE 3908 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEpowershell.execmd.exeWINWORD.EXEdescription pid process target process PID 3908 wrote to memory of 3712 3908 WINWORD.EXE y177D.tmp.exe PID 3908 wrote to memory of 3712 3908 WINWORD.EXE y177D.tmp.exe PID 3732 wrote to memory of 3076 3732 powershell.exe cmd.exe PID 3732 wrote to memory of 3076 3732 powershell.exe cmd.exe PID 3076 wrote to memory of 4040 3076 cmd.exe WINWORD.EXE PID 3076 wrote to memory of 4040 3076 cmd.exe WINWORD.EXE PID 4040 wrote to memory of 1568 4040 WINWORD.EXE y75DC.tmp.exe PID 4040 wrote to memory of 1568 4040 WINWORD.EXE y75DC.tmp.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-05.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exeC:\Users\Admin\AppData\Local\Temp\y177D.tmp.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3712 -s 1723⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document-05.docm" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exeC:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1568 -s 1725⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5f1f68c8b8f4507b627f680096c95fce7
SHA1df85bf837dd4e7251c49e1d7d56ebcbbc3930a1f
SHA2560fb188cc09c9fe20fe6f24b2e536eab9a060bc711bd4ca77728deadadb69a624
SHA512862bc5f3d612fa9874d39ee961bf7cbb7c68a8a23f4dbd1db8e061c8632f9ee763193468c76a10d087a4dccd646a4c5cab88e1cf6bfd56704aafd90745bc5e44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD5b294a4ccdb30bb94ed5b10837e0b63b3
SHA1b7771dd1406c5da85ae8137fb9fccf5e14240aff
SHA2565820a9583c5cc834add7beb5286c399b5ec9c4ff908bf395b3f555c6f4f40460
SHA51217d725d98a2cae30eecbe019c6237c495db4a6d62b47509fb8328ab853a4ea1db417a66f578ca68e17c0d8849c2fb69722d06c6c82b45be9da0bb531b045f340
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonFilesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonFilesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonFilesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonFilesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\53032ABC-5010-4F97-BB2D-FC936397B773Filesize
142KB
MD515820c463b1c1dfb8d5ffa1b0710ef70
SHA1ace33152c61f5c274062e851f615854982db87aa
SHA25612e18a3d3f4486adb6e2e0195ef30a929c336810e6f7fb2f40fea6a8a955a9ca
SHA512b1fde2a75b4f1b286fb1c3cb18780babcacb16c81828f8a4b7bc30779b75aadf37550225d70e3f42bfeeabff15b6aaf9df4e1055bcfa409e250c404b79962c85
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xmlFilesize
306KB
MD5299cf5ea41d183f6963a6c552c663fd9
SHA1feffbb799532a9ee58e26a2943740ebaef610639
SHA256019bd59bd49dcff430ab72c68525bd43b3c9eb286e20737220b1ac884937c2dd
SHA5121b882bcb4151b5c9cbbfdbd55374b998b41a3e8911b9cb8ad861608d3f7c5956dcfb866858b9b11af84e0698e2b2ba442687ad76a5f435a15d83c190b636f23b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlFilesize
76B
MD50f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbFilesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSJA3W85\loader3[1].exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\y177D.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Local\Temp\y75DC.tmp.exeFilesize
104KB
MD5bf5309d3536cb55f8a052ad35576866f
SHA1db0d76c50077280cc66b6d7c0084472575c235f8
SHA256a1d05aa1324fdc04e7698fbc3a4f212013b2bf7d7531b317d0b76e832d97a841
SHA512ff06f9b89ca1e886887e5866f90775c2e56701491215e99d933b786ec75758095c00dba22ec5daba5a7ed1bdb3fab415ddb5922715bd3da32e237dca50ada4c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5bd788039c10fd3493017c9c7daedcf9c
SHA1b1be994f8b60e24566765c4411a5eb2fa70c194c
SHA256f12afc5b02007e2a962bd25ca9c79fc44ac0c131bfe15424b09e2ba737a35cc7
SHA512893b7da4291d55e2d73edb0e2990508ac6053e8474acdbaad096a2f2f81647f3f91fb71070b8be8dac4b4f22df85ca92ac1de01d5027986761f26f9c19fe8754
-
memory/1568-671-0x0000000000000000-mapping.dmp
-
memory/3076-482-0x0000000000000000-mapping.dmp
-
memory/3712-279-0x0000000140000000-0x000000014000B000-memory.dmpFilesize
44KB
-
memory/3712-276-0x0000000000000000-mapping.dmp
-
memory/3732-466-0x0000023FCD3E0000-0x0000023FCD456000-memory.dmpFilesize
472KB
-
memory/3732-465-0x0000023FCC593000-0x0000023FCC595000-memory.dmpFilesize
8KB
-
memory/3732-464-0x0000023FCC590000-0x0000023FCC592000-memory.dmpFilesize
8KB
-
memory/3732-453-0x0000023FB4270000-0x0000023FB42AC000-memory.dmpFilesize
240KB
-
memory/3732-434-0x0000023FB3E10000-0x0000023FB3E32000-memory.dmpFilesize
136KB
-
memory/3908-270-0x00000130472BC000-0x0000013047335000-memory.dmpFilesize
484KB
-
memory/3908-265-0x00000130471C4000-0x00000130471C6000-memory.dmpFilesize
8KB
-
memory/3908-426-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-115-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-116-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-425-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-114-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-428-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-271-0x000001304B8F0000-0x000001304B92F000-memory.dmpFilesize
252KB
-
memory/3908-117-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/3908-427-0x00007FF82C880000-0x00007FF82C890000-memory.dmpFilesize
64KB
-
memory/4040-485-0x0000000000000000-mapping.dmp
-
memory/4040-666-0x000001D3D34D0000-0x000001D3D350F000-memory.dmpFilesize
252KB
-
memory/4040-665-0x000001D3CEF5F000-0x000001D3CEFD8000-memory.dmpFilesize
484KB