Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 13:30
Static task
static1
Behavioral task
behavioral1
Sample
deed contract 12.15.2021.doc
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
deed contract 12.15.2021.doc
Resource
win10-en-20211208
General
-
Target
deed contract 12.15.2021.doc
-
Size
42KB
-
MD5
5743e3edb2bf64fe08e5e9a6ea24cd7e
-
SHA1
4bd0151fa9520c9886f7d7a250596687b52bfa81
-
SHA256
f604ca55de802f334064610d65e23890ab81906cdac3f8a5c7c25126176289c8
-
SHA512
8728257bd9a6d3fc252b3fa56ece7b6b81f7ac9608327cf7984600ffb277ac3ba9ebe0bc10bca5b2267a9cf1e9025aea95309efcfb05db6e3f381454ff1296a7
Malware Config
Extracted
icedid
1694525507
firenicatrible.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2164 2496 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 30 3680 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 420 regsvr32.exe 596 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2496 WINWORD.EXE 2496 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exepid process 596 regsvr32.exe 596 regsvr32.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE 2496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exedescription pid process target process PID 2496 wrote to memory of 2164 2496 WINWORD.EXE explorer.exe PID 2496 wrote to memory of 2164 2496 WINWORD.EXE explorer.exe PID 2388 wrote to memory of 3680 2388 explorer.exe mshta.exe PID 2388 wrote to memory of 3680 2388 explorer.exe mshta.exe PID 2388 wrote to memory of 3680 2388 explorer.exe mshta.exe PID 3680 wrote to memory of 420 3680 mshta.exe regsvr32.exe PID 3680 wrote to memory of 420 3680 mshta.exe regsvr32.exe PID 3680 wrote to memory of 420 3680 mshta.exe regsvr32.exe PID 420 wrote to memory of 596 420 regsvr32.exe regsvr32.exe PID 420 wrote to memory of 596 420 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\deed contract 12.15.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\explorer.exec:\windows\explorer karolYouYou.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\karolYouYou.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\youYou.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\youYou.jpg4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\karolYouYou.htaMD5
b81c854f3cc5bfabb51bdbe9d85964ae
SHA1f4116623c3c443a6438cf9a1a3d0a568a6813ee6
SHA256e00b0e980272214abae7b80ce475d8cd6b1e12275364e42ca276d0f6a7d5fd45
SHA512f2b2a460f5d9797c70b06491e17522740f8886267db0ab1b1e70cc332081ee5f6c64a4af54ef3685cc6257bf08d82368f698189c7903f83ada7bf918c0ef9af0
-
\??\c:\users\public\youYou.jpgMD5
ee78b231992fcef6de4e7d1b17c7ca0a
SHA13b28788fd06a2dea76589cb54959eb20e2a0949d
SHA2561b34579918b682e8312cf1009fec4b2d4793c4e529ca72bf011e944b64599598
SHA512fa3e884b3119c852114d9406e69a073be1e8657ea7f53d29fcd460306841d101c6cd6e11b415469ce1e56995b3a0013c956ffa109cf8c9ee376f34073b415f5b
-
\Users\Public\youYou.jpgMD5
ee78b231992fcef6de4e7d1b17c7ca0a
SHA13b28788fd06a2dea76589cb54959eb20e2a0949d
SHA2561b34579918b682e8312cf1009fec4b2d4793c4e529ca72bf011e944b64599598
SHA512fa3e884b3119c852114d9406e69a073be1e8657ea7f53d29fcd460306841d101c6cd6e11b415469ce1e56995b3a0013c956ffa109cf8c9ee376f34073b415f5b
-
\Users\Public\youYou.jpgMD5
ee78b231992fcef6de4e7d1b17c7ca0a
SHA13b28788fd06a2dea76589cb54959eb20e2a0949d
SHA2561b34579918b682e8312cf1009fec4b2d4793c4e529ca72bf011e944b64599598
SHA512fa3e884b3119c852114d9406e69a073be1e8657ea7f53d29fcd460306841d101c6cd6e11b415469ce1e56995b3a0013c956ffa109cf8c9ee376f34073b415f5b
-
memory/420-288-0x0000000000000000-mapping.dmp
-
memory/596-301-0x0000000000D70000-0x0000000000DD3000-memory.dmpFilesize
396KB
-
memory/596-291-0x0000000000000000-mapping.dmp
-
memory/2164-260-0x0000000000000000-mapping.dmp
-
memory/2496-115-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmpFilesize
64KB
-
memory/2496-122-0x000001E4B15E0000-0x000001E4B15E2000-memory.dmpFilesize
8KB
-
memory/2496-121-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmpFilesize
64KB
-
memory/2496-120-0x000001E4B15E0000-0x000001E4B15E2000-memory.dmpFilesize
8KB
-
memory/2496-119-0x000001E4B15E0000-0x000001E4B15E2000-memory.dmpFilesize
8KB
-
memory/2496-118-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmpFilesize
64KB
-
memory/2496-117-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmpFilesize
64KB
-
memory/2496-116-0x00007FFDFC560000-0x00007FFDFC570000-memory.dmpFilesize
64KB
-
memory/3680-263-0x0000000000000000-mapping.dmp