Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 03:17
Static task
static1
Behavioral task
behavioral1
Sample
charge_12.01.2021.doc
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
charge_12.01.2021.doc
Resource
win10-en-20211104
General
-
Target
charge_12.01.2021.doc
-
Size
33KB
-
MD5
18499830201cddade8183b8e24fdf30a
-
SHA1
55c498cf7273cab567f49a00c15ca3316c001215
-
SHA256
0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5
-
SHA512
0a59ed2f3491bbd547d3ae543c6efcf965d1da65c02f900b09d6c75afd92dfc98c4182af7392b9d77b79cf0c17fe30d232449396a3a3be14c96b07ce7718928e
Malware Config
Extracted
icedid
1892568649
normyils.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2216 2680 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 26 1900 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3856 regsvr32.exe 2684 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 2684 regsvr32.exe 2684 regsvr32.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exedescription pid process target process PID 2680 wrote to memory of 2216 2680 WINWORD.EXE explorer.exe PID 2680 wrote to memory of 2216 2680 WINWORD.EXE explorer.exe PID 2488 wrote to memory of 1900 2488 explorer.exe mshta.exe PID 2488 wrote to memory of 1900 2488 explorer.exe mshta.exe PID 2488 wrote to memory of 1900 2488 explorer.exe mshta.exe PID 1900 wrote to memory of 3856 1900 mshta.exe regsvr32.exe PID 1900 wrote to memory of 3856 1900 mshta.exe regsvr32.exe PID 1900 wrote to memory of 3856 1900 mshta.exe regsvr32.exe PID 3856 wrote to memory of 2684 3856 regsvr32.exe regsvr32.exe PID 3856 wrote to memory of 2684 3856 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\charge_12.01.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer youTube.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\youTube.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\dowNext.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\dowNext.jpg4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\youTube.htaMD5
55d9eab53d4063a53b6ed05f7b1e75e7
SHA1e6b4c81676d3ef0d2f7d08a6cc2ad90eb54908c3
SHA256c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2
SHA512e90768d87c7b191d41d3944957725db0e1f29fa865e24fd7308656fc9249ca0a5d1bd0abeda3bbc68528efc0ce6bc3a79eb434c375fd5c6ec90455c6e19a74f9
-
\??\c:\users\public\dowNext.jpgMD5
42ba8df7ba3a3b5c77b5d2bbcb91e828
SHA165a741078ecd46d314de89014714f898a4305f42
SHA2564bcfc1bb0f59cbcd6c5a235339d39a4d89528bdcc0e3a91e299bc9660a2cc8ef
SHA5129643c97bee47f2f12549495b27927c724dd0a741ad1fb1e7c838948945caee9dcd4baeaf12d76f422f157846f4a79514d8596a2a541e133eac2a75604768467c
-
\Users\Public\dowNext.jpgMD5
42ba8df7ba3a3b5c77b5d2bbcb91e828
SHA165a741078ecd46d314de89014714f898a4305f42
SHA2564bcfc1bb0f59cbcd6c5a235339d39a4d89528bdcc0e3a91e299bc9660a2cc8ef
SHA5129643c97bee47f2f12549495b27927c724dd0a741ad1fb1e7c838948945caee9dcd4baeaf12d76f422f157846f4a79514d8596a2a541e133eac2a75604768467c
-
\Users\Public\dowNext.jpgMD5
42ba8df7ba3a3b5c77b5d2bbcb91e828
SHA165a741078ecd46d314de89014714f898a4305f42
SHA2564bcfc1bb0f59cbcd6c5a235339d39a4d89528bdcc0e3a91e299bc9660a2cc8ef
SHA5129643c97bee47f2f12549495b27927c724dd0a741ad1fb1e7c838948945caee9dcd4baeaf12d76f422f157846f4a79514d8596a2a541e133eac2a75604768467c
-
memory/1900-265-0x0000000000000000-mapping.dmp
-
memory/2216-262-0x0000000000000000-mapping.dmp
-
memory/2680-124-0x00007FFEC5120000-0x00007FFEC5130000-memory.dmpFilesize
64KB
-
memory/2680-125-0x0000015024D80000-0x0000015024D82000-memory.dmpFilesize
8KB
-
memory/2680-118-0x00007FFEC5120000-0x00007FFEC5130000-memory.dmpFilesize
64KB
-
memory/2680-122-0x0000015024D80000-0x0000015024D82000-memory.dmpFilesize
8KB
-
memory/2680-123-0x0000015024D80000-0x0000015024D82000-memory.dmpFilesize
8KB
-
memory/2680-121-0x00007FFEC5120000-0x00007FFEC5130000-memory.dmpFilesize
64KB
-
memory/2680-120-0x00007FFEC5120000-0x00007FFEC5130000-memory.dmpFilesize
64KB
-
memory/2680-119-0x00007FFEC5120000-0x00007FFEC5130000-memory.dmpFilesize
64KB
-
memory/2684-298-0x0000000000000000-mapping.dmp
-
memory/2684-301-0x0000000002370000-0x00000000023D3000-memory.dmpFilesize
396KB
-
memory/3856-291-0x0000000000000000-mapping.dmp