Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 13:30
Static task
static1
Behavioral task
behavioral1
Sample
charge-12.21.doc
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
charge-12.21.doc
Resource
win10-en-20211104
General
-
Target
charge-12.21.doc
-
Size
33KB
-
MD5
74a0006068bb29d6713ce528103687bc
-
SHA1
156010577234a86d730de63ac661c975caa088c6
-
SHA256
eae84642b156436fffe52122b3184971df09e9fb369aff2afcad3ad59a8c623f
-
SHA512
852449009a2ad40075e507882fa0a0389441fc57342212388bf862318a264ea6bc2a61b3545173345b4b8c37a7a795f9f72680436996ea76359d30a27d34815f
Malware Config
Extracted
icedid
1892568649
normyils.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3036 1624 explorer.exe WINWORD.EXE -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 45 3128 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 892 regsvr32.exe 720 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1624 WINWORD.EXE 1624 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 720 regsvr32.exe 720 regsvr32.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE 1624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exedescription pid process target process PID 1624 wrote to memory of 3036 1624 WINWORD.EXE explorer.exe PID 1624 wrote to memory of 3036 1624 WINWORD.EXE explorer.exe PID 1696 wrote to memory of 3128 1696 explorer.exe mshta.exe PID 1696 wrote to memory of 3128 1696 explorer.exe mshta.exe PID 1696 wrote to memory of 3128 1696 explorer.exe mshta.exe PID 3128 wrote to memory of 892 3128 mshta.exe regsvr32.exe PID 3128 wrote to memory of 892 3128 mshta.exe regsvr32.exe PID 3128 wrote to memory of 892 3128 mshta.exe regsvr32.exe PID 892 wrote to memory of 720 892 regsvr32.exe regsvr32.exe PID 892 wrote to memory of 720 892 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\charge-12.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer dowLoadYou.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\dowLoadYou.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\loveDoorDow.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\loveDoorDow.jpg4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\dowLoadYou.htaMD5
20741b6c308dc472336c53db7c17ce87
SHA18e1bd0889de5accb7833242634b40c1666bba565
SHA2567ec242dfa70987e9b5152cbf08ba96c1ba65732c94508998608ed8f0247004e8
SHA512ba574f14cd4107633d5049d0cbaa3d0d3224f28168acc5cb9bea2a9b298f5c49eb71b3f8687fc48a07ad8b44315a5fe05bb0dc5a31a5d861b0754bbb0f69dd9d
-
\??\c:\users\public\loveDoorDow.jpgMD5
213bf3d8763394125a5fb2a0250970ed
SHA1703d4de08b803af06f5640fc8357afe9e6eb1b85
SHA25679e621d6957c8048fc4fc6c60d8fc40edc39ea47f77a1c94c1206d66daad286c
SHA51236472a621ad091c54eb728d9d0d2216f3e1d678f6fe6b5643e52ee8ed0753925beb77a376dffa66b7e1622a6fc8d784eb9ca6ae3f94e3f6710e3e49872bdbcdf
-
\Users\Public\loveDoorDow.jpgMD5
213bf3d8763394125a5fb2a0250970ed
SHA1703d4de08b803af06f5640fc8357afe9e6eb1b85
SHA25679e621d6957c8048fc4fc6c60d8fc40edc39ea47f77a1c94c1206d66daad286c
SHA51236472a621ad091c54eb728d9d0d2216f3e1d678f6fe6b5643e52ee8ed0753925beb77a376dffa66b7e1622a6fc8d784eb9ca6ae3f94e3f6710e3e49872bdbcdf
-
\Users\Public\loveDoorDow.jpgMD5
213bf3d8763394125a5fb2a0250970ed
SHA1703d4de08b803af06f5640fc8357afe9e6eb1b85
SHA25679e621d6957c8048fc4fc6c60d8fc40edc39ea47f77a1c94c1206d66daad286c
SHA51236472a621ad091c54eb728d9d0d2216f3e1d678f6fe6b5643e52ee8ed0753925beb77a376dffa66b7e1622a6fc8d784eb9ca6ae3f94e3f6710e3e49872bdbcdf
-
memory/720-301-0x00000000006C0000-0x0000000000723000-memory.dmpFilesize
396KB
-
memory/720-299-0x0000000000000000-mapping.dmp
-
memory/892-296-0x0000000000000000-mapping.dmp
-
memory/1624-122-0x00007FFEACE70000-0x00007FFEACE80000-memory.dmpFilesize
64KB
-
memory/1624-125-0x00000234E6DA0000-0x00000234E6DA2000-memory.dmpFilesize
8KB
-
memory/1624-123-0x00000234E6DA0000-0x00000234E6DA2000-memory.dmpFilesize
8KB
-
memory/1624-124-0x00000234E6DA0000-0x00000234E6DA2000-memory.dmpFilesize
8KB
-
memory/1624-118-0x00007FFEACE70000-0x00007FFEACE80000-memory.dmpFilesize
64KB
-
memory/1624-121-0x00007FFEACE70000-0x00007FFEACE80000-memory.dmpFilesize
64KB
-
memory/1624-120-0x00007FFEACE70000-0x00007FFEACE80000-memory.dmpFilesize
64KB
-
memory/1624-119-0x00007FFEACE70000-0x00007FFEACE80000-memory.dmpFilesize
64KB
-
memory/3036-262-0x0000000000000000-mapping.dmp
-
memory/3128-264-0x0000000000000000-mapping.dmp