Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 17:52
Behavioral task
behavioral1
Sample
lunawebs doc 09.26.2022.docm
Resource
win7-20220812-en
General
-
Target
lunawebs doc 09.26.2022.docm
-
Size
867KB
-
MD5
fb04ab5da032babddd908e18bff60391
-
SHA1
8d1a1d32c6b49c41ae8ede82ad728ca471f2b1fd
-
SHA256
ec11467a9beb27b6329e84a19e90f4563d9720ed8ec1f3c1ae013783061062fa
-
SHA512
86277b4c345f6d8475c5223ced232588ab045a09059c41267e5238e63a5a8eb3fcd7913562fd7f674c8029e458136f61adcc8c41b394bc64b317d4c6f6449a62
-
SSDEEP
12288:ApVE9j2y+1JbeQbntrws6/GYzw6OFokpXfiiGef/DEWIesySlS3P9:KV2jUeQRI5wPN/Bx
Malware Config
Extracted
icedid
742081363
scainznorka.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3388 3040 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 26 3388 rundll32.exe 51 3388 rundll32.exe 56 3388 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3388 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3040 WINWORD.EXE 3040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3388 rundll32.exe 3388 rundll32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3040 WINWORD.EXE 3040 WINWORD.EXE 3040 WINWORD.EXE 3040 WINWORD.EXE 3040 WINWORD.EXE 3040 WINWORD.EXE 3040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 3040 wrote to memory of 3388 3040 WINWORD.EXE rundll32.exe PID 3040 wrote to memory of 3388 3040 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\lunawebs doc 09.26.2022.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\ProgramData\6849o005.5i5,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\6849o005.5i5Filesize
532KB
MD5b286ae4314d748b1924390a89d4b52a4
SHA1573f723cd98588f00b80f55a6cec6360080a4e67
SHA256a78ebb0934a1720eab23c504382d7b9984afe251c645cb3c8872fd43aad63987
SHA51226437b9d9ec2441c709b4342aff82f35eb34170bc2ddd91bbf2cc1e0bba321c7251a6fcb88a448312782d9b67a2d65b775fb1e203fdd4cc4851e1b1052cf3509
-
C:\ProgramData\6849o005.5i5Filesize
532KB
MD5b286ae4314d748b1924390a89d4b52a4
SHA1573f723cd98588f00b80f55a6cec6360080a4e67
SHA256a78ebb0934a1720eab23c504382d7b9984afe251c645cb3c8872fd43aad63987
SHA51226437b9d9ec2441c709b4342aff82f35eb34170bc2ddd91bbf2cc1e0bba321c7251a6fcb88a448312782d9b67a2d65b775fb1e203fdd4cc4851e1b1052cf3509
-
memory/3040-136-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-133-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-132-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-137-0x00007FFA4A2F0000-0x00007FFA4A300000-memory.dmpFilesize
64KB
-
memory/3040-138-0x00007FFA4A2F0000-0x00007FFA4A300000-memory.dmpFilesize
64KB
-
memory/3040-153-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-134-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-135-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-152-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-151-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3040-150-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmpFilesize
64KB
-
memory/3388-148-0x000002A499CD0000-0x000002A499CD6000-memory.dmpFilesize
24KB
-
memory/3388-142-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/3388-139-0x0000000000000000-mapping.dmp