Analysis
-
max time kernel
102s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 17:59
Behavioral task
behavioral1
Sample
kingwoodcable,invoice,09.26.docm
Resource
win7-20220812-en
General
-
Target
kingwoodcable,invoice,09.26.docm
-
Size
866KB
-
MD5
6ec1488f15f0573d3543e853af6d6e09
-
SHA1
941da2c83cd00abd146d7ef985990933f7f146cb
-
SHA256
cc42ef46da6aaeba9e41b2c5ac494f59383fec47f5736d27d4654613fe4cc610
-
SHA512
448075b3c6f6e92a01557db4c13560ef193087d946469e353e0f5851c9acbca0a3f397b7bdf33eee990b417b39d971e12240911d45b01a71a062e706247960c7
-
SSDEEP
12288:h6VE9j2y+1JbeQbntrws6/GYzw6OFokpXfiiGef/DEW2rlj7REMCyc53:h6V2jUeQRI5wPN//2rlfREMCV
Malware Config
Extracted
icedid
742081363
scainznorka.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 228 4808 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 27 228 rundll32.exe 50 228 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 228 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4808 WINWORD.EXE 4808 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 228 rundll32.exe 228 rundll32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4808 WINWORD.EXE 4808 WINWORD.EXE 4808 WINWORD.EXE 4808 WINWORD.EXE 4808 WINWORD.EXE 4808 WINWORD.EXE 4808 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 4808 wrote to memory of 228 4808 WINWORD.EXE rundll32.exe PID 4808 wrote to memory of 228 4808 WINWORD.EXE rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\kingwoodcable,invoice,09.26.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\ProgramData\8zp072e7.64t,PluginInit2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\8zp072e7.64tFilesize
532KB
MD5b559022fd459f620b912f731689e1930
SHA18c99656ed3cce493c6624f734b25b557a37fdb15
SHA2562b3b1422ba43efeb2f813c608f59761584379e54fb7a02d852bf934ad2adc70e
SHA512a97d054a38cf51a873e9770205ad4128e6cbb47a2954ebe2b7d2bb091c515ee16189adcf1dc3e0c825ec2fd18b6c7f411a7c49d04721abb98e1f7a23dbcf4483
-
C:\ProgramData\8zp072e7.64tFilesize
532KB
MD5b559022fd459f620b912f731689e1930
SHA18c99656ed3cce493c6624f734b25b557a37fdb15
SHA2562b3b1422ba43efeb2f813c608f59761584379e54fb7a02d852bf934ad2adc70e
SHA512a97d054a38cf51a873e9770205ad4128e6cbb47a2954ebe2b7d2bb091c515ee16189adcf1dc3e0c825ec2fd18b6c7f411a7c49d04721abb98e1f7a23dbcf4483
-
memory/228-139-0x0000000000000000-mapping.dmp
-
memory/228-148-0x000002B8DBAF0000-0x000002B8DBAF6000-memory.dmpFilesize
24KB
-
memory/228-142-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/4808-136-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-138-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmpFilesize
64KB
-
memory/4808-137-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmpFilesize
64KB
-
memory/4808-132-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-135-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-134-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-133-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-150-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-151-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-152-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB
-
memory/4808-153-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmpFilesize
64KB