Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 17:58
Behavioral task
behavioral1
Sample
mohr4document09.26.docm
Resource
win7-20220812-en
General
-
Target
mohr4document09.26.docm
-
Size
866KB
-
MD5
1421cff1d2bed5590ffe5c9073243cfe
-
SHA1
e0bd5496050a0f2e597127163b93c94f9149184a
-
SHA256
4d992810e9a05e27afabf2194cd04612dca0a738dc076778a56459cf97c6b9f1
-
SHA512
27251d0754d08766060a1cb62d67bfe2406ccd326a0da8fadc1d0b5812b2ae3374f0478d8f548a6f8517df2b75ede25a9b5923c64517c69608da2ad5ecdfc504
-
SSDEEP
12288:thL7VE9j2y+1JbeQbntrws6/GYzw6OFokpXfiiGef/DEvtm9d/+CWSzv36htHTZ:7L7V2jUeQRI5wPN/+trWzit
Malware Config
Extracted
icedid
742081363
scainznorka.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3112 4624 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 39 3112 rundll32.exe 57 3112 rundll32.exe 59 3112 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3112 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4624 WINWORD.EXE 4624 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3112 rundll32.exe 3112 rundll32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4624 wrote to memory of 3112 4624 WINWORD.EXE rundll32.exe PID 4624 wrote to memory of 3112 4624 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\mohr4document09.26.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\ProgramData\2304d651.314,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\2304d651.314Filesize
532KB
MD5cd469e3889d1fd119619abf7c5823f58
SHA19fe99ed5f5983e946479201c84167d96298e817a
SHA2568cb728e51190437fff358acbb28945c43032d97f33fc76141f50ab99684b38c8
SHA5126700b3a4c35cfe410d443525ac9ec3d57c6d3ba5c24aea461b175d5056952fab0dd4bddd5031ccf537b92c387a9d8df9884359bad3c0c5197ac67bfcf0f9c646
-
C:\ProgramData\2304d651.314Filesize
532KB
MD5cd469e3889d1fd119619abf7c5823f58
SHA19fe99ed5f5983e946479201c84167d96298e817a
SHA2568cb728e51190437fff358acbb28945c43032d97f33fc76141f50ab99684b38c8
SHA5126700b3a4c35cfe410d443525ac9ec3d57c6d3ba5c24aea461b175d5056952fab0dd4bddd5031ccf537b92c387a9d8df9884359bad3c0c5197ac67bfcf0f9c646
-
memory/3112-139-0x0000000000000000-mapping.dmp
-
memory/3112-148-0x000001762B5B0000-0x000001762B5B6000-memory.dmpFilesize
24KB
-
memory/3112-142-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4624-136-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-138-0x00007FFB30520000-0x00007FFB30530000-memory.dmpFilesize
64KB
-
memory/4624-137-0x00007FFB30520000-0x00007FFB30530000-memory.dmpFilesize
64KB
-
memory/4624-132-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-135-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-134-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-133-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-151-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-150-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-152-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB
-
memory/4624-153-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmpFilesize
64KB