Analysis
-
max time kernel
122s -
max time network
1565s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
01-12-2021 22:39
Static task
static1
Behavioral task
behavioral1
Sample
figures-12.21.doc
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
figures-12.21.doc
Resource
win10-en-20211014
General
-
Target
figures-12.21.doc
-
Size
33KB
-
MD5
7fd923b0c4fb883cddce74ef1ab2233e
-
SHA1
0c4dcb95f799c8b6fe5c61ad8e5b5d02caab97ec
-
SHA256
aa31b5173d6dea75cd81623d5cdd463db3cfb98c23c72fefe588a7d6ed41dae1
-
SHA512
cb065f10a801f64e95f42783439b662758ced10455c0242ae3924a2e012db7d5ca5abe6e5172e46d6faf14a30f0db1c8dc7cd03a896a9dcd28fc4fdb40aac713
Malware Config
Extracted
icedid
1892568649
normyils.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3608 2728 explorer.exe WINWORD.EXE -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 24 1724 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3740 regsvr32.exe 3808 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2728 WINWORD.EXE 2728 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 3808 regsvr32.exe 3808 regsvr32.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE 2728 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exedescription pid process target process PID 2728 wrote to memory of 3608 2728 WINWORD.EXE explorer.exe PID 2728 wrote to memory of 3608 2728 WINWORD.EXE explorer.exe PID 4040 wrote to memory of 1724 4040 explorer.exe mshta.exe PID 4040 wrote to memory of 1724 4040 explorer.exe mshta.exe PID 4040 wrote to memory of 1724 4040 explorer.exe mshta.exe PID 1724 wrote to memory of 3740 1724 mshta.exe regsvr32.exe PID 1724 wrote to memory of 3740 1724 mshta.exe regsvr32.exe PID 1724 wrote to memory of 3740 1724 mshta.exe regsvr32.exe PID 3740 wrote to memory of 3808 3740 regsvr32.exe regsvr32.exe PID 3740 wrote to memory of 3808 3740 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\figures-12.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer loadLoadYou.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\loadLoadYou.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\nextNext.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\nextNext.jpg4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\loadLoadYou.htaMD5
6b7f741179d279a13e8ece951badb9e1
SHA11b6eba24dea7d29dc049e81c50f92a98a07b5741
SHA256e7dbc0a4c535be854642fd39706ed01041ca9eee6a57383d7d856b90fe4a4349
SHA5124d873959cfdef272df273633342d587ecd987c8c8f2d4680416d5ac7593890ffba8a3efc35f53ef493c6673fc06d1fc23698595b29fd55026de3b81a6c4ed5ae
-
\??\c:\users\public\nextNext.jpgMD5
691c92ca51c47f3e33d04fc06a6a1553
SHA13b3e398e0971f514541cb1f67a0bc1f59e939d62
SHA256dcb444844f882f8ffe8787e8afdc3bd0a3f43db60152679175522b4b0e900ec9
SHA512bde6459f1b164b6c4c36ca0b173285a1db0ce1e8367d0681ac3c9ed8a972a8acdbd75dd7edb479b7ecdc8bddde8fb326fe4cf8dcfc7fa722704ffadd5870ea06
-
\Users\Public\nextNext.jpgMD5
691c92ca51c47f3e33d04fc06a6a1553
SHA13b3e398e0971f514541cb1f67a0bc1f59e939d62
SHA256dcb444844f882f8ffe8787e8afdc3bd0a3f43db60152679175522b4b0e900ec9
SHA512bde6459f1b164b6c4c36ca0b173285a1db0ce1e8367d0681ac3c9ed8a972a8acdbd75dd7edb479b7ecdc8bddde8fb326fe4cf8dcfc7fa722704ffadd5870ea06
-
\Users\Public\nextNext.jpgMD5
691c92ca51c47f3e33d04fc06a6a1553
SHA13b3e398e0971f514541cb1f67a0bc1f59e939d62
SHA256dcb444844f882f8ffe8787e8afdc3bd0a3f43db60152679175522b4b0e900ec9
SHA512bde6459f1b164b6c4c36ca0b173285a1db0ce1e8367d0681ac3c9ed8a972a8acdbd75dd7edb479b7ecdc8bddde8fb326fe4cf8dcfc7fa722704ffadd5870ea06
-
memory/1724-257-0x0000000000000000-mapping.dmp
-
memory/2728-119-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/2728-120-0x000001D0E7E90000-0x000001D0E7E92000-memory.dmpFilesize
8KB
-
memory/2728-122-0x000001D0E7E90000-0x000001D0E7E92000-memory.dmpFilesize
8KB
-
memory/2728-121-0x000001D0E7E90000-0x000001D0E7E92000-memory.dmpFilesize
8KB
-
memory/2728-115-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/2728-118-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/2728-117-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/2728-116-0x00007FF7FB410000-0x00007FF7FB420000-memory.dmpFilesize
64KB
-
memory/3608-254-0x0000000000000000-mapping.dmp
-
memory/3740-288-0x0000000000000000-mapping.dmp
-
memory/3808-291-0x0000000000000000-mapping.dmp
-
memory/3808-293-0x0000000002B70000-0x0000000002BD3000-memory.dmpFilesize
396KB