Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-12-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
enjoin,12.27.2021.doc
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
enjoin,12.27.2021.doc
Resource
win10-en-20211208
General
-
Target
enjoin,12.27.2021.doc
-
Size
77KB
-
MD5
7044bd240219ec2f83b01c532e2ce5ba
-
SHA1
745cdbc4a826c5960eef3f4a9aa307ff94e4b7fb
-
SHA256
ecd84fa8d836d5057149b2b3a048d75004ca1a1377fcf2f5e67374af3a1161a0
-
SHA512
8467fc9f63711c8fa460f1f35d42b6528c6e285799d9a19630696dd3a12e24799370eaa6d53e075e60d579a3b4ecef035cf62aac6a1bc96130b392c3931882ee
Malware Config
Extracted
icedid
2507181075
vopnoz.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3276 4000 explorer.exe WINWORD.EXE -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2924 created 412 2924 WerFault.exe regsvr32.exe -
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 59 1412 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 3348 regsvr32.exe 412 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2924 412 WerFault.exe regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4000 WINWORD.EXE 4000 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
regsvr32.exeWerFault.exepid process 412 regsvr32.exe 412 regsvr32.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe 2924 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2924 WerFault.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
WINWORD.EXEpid process 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exedescription pid process target process PID 4000 wrote to memory of 3276 4000 WINWORD.EXE explorer.exe PID 4000 wrote to memory of 3276 4000 WINWORD.EXE explorer.exe PID 372 wrote to memory of 1412 372 explorer.exe mshta.exe PID 372 wrote to memory of 1412 372 explorer.exe mshta.exe PID 372 wrote to memory of 1412 372 explorer.exe mshta.exe PID 1412 wrote to memory of 3348 1412 mshta.exe regsvr32.exe PID 1412 wrote to memory of 3348 1412 mshta.exe regsvr32.exe PID 1412 wrote to memory of 3348 1412 mshta.exe regsvr32.exe PID 3348 wrote to memory of 412 3348 regsvr32.exe regsvr32.exe PID 3348 wrote to memory of 412 3348 regsvr32.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\enjoin,12.27.2021.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer i7Gigabyte.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\i7Gigabyte.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\gigabyteI7.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\gigabyteI7.jpg4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 412 -s 6725⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\i7Gigabyte.htaMD5
fbdb7848f1d9945428c0101b75811195
SHA1fe31e65196e0844cd5858f893d44428aece6a2b4
SHA256aec91c78c4dc06c5bcea7b5020c38b003fc120153d51a3adb4f32d8000a6326a
SHA512d699d3a8123f7fcc09373f27f0a09015546abe6bcfbeb8a75178b9ef0304f73c19bc0f27f51ed2b78a02a8caee89b5e268808e6c0aa981ed011fe03c573311a5
-
\??\c:\users\public\gigabyteI7.jpgMD5
30417685bed3df949068743b8d2d33b5
SHA17815895e67dab255d7dc6d3c77331c1973c48e32
SHA2568e636ca8d75d4e15f5393d79a6bb0545e2138fb89ff32077e115ae94f6d4b9bb
SHA512a68c23e2e9d76d7df097cf1f2cedca1a1f2d668ff81d55d4abca92a8e0ac22c9a58d3d6e228f41c78736e60bdb268b2be774a9686026bff5793dc75d0c162063
-
\Users\Public\gigabyteI7.jpgMD5
30417685bed3df949068743b8d2d33b5
SHA17815895e67dab255d7dc6d3c77331c1973c48e32
SHA2568e636ca8d75d4e15f5393d79a6bb0545e2138fb89ff32077e115ae94f6d4b9bb
SHA512a68c23e2e9d76d7df097cf1f2cedca1a1f2d668ff81d55d4abca92a8e0ac22c9a58d3d6e228f41c78736e60bdb268b2be774a9686026bff5793dc75d0c162063
-
\Users\Public\gigabyteI7.jpgMD5
30417685bed3df949068743b8d2d33b5
SHA17815895e67dab255d7dc6d3c77331c1973c48e32
SHA2568e636ca8d75d4e15f5393d79a6bb0545e2138fb89ff32077e115ae94f6d4b9bb
SHA512a68c23e2e9d76d7df097cf1f2cedca1a1f2d668ff81d55d4abca92a8e0ac22c9a58d3d6e228f41c78736e60bdb268b2be774a9686026bff5793dc75d0c162063
-
memory/412-296-0x00007FF67B540000-0x00007FF67B549000-memory.dmpFilesize
36KB
-
memory/412-289-0x0000000000000000-mapping.dmp
-
memory/1412-263-0x0000000000000000-mapping.dmp
-
memory/3276-258-0x0000000000000000-mapping.dmp
-
memory/3348-282-0x0000000000000000-mapping.dmp
-
memory/4000-115-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/4000-123-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/4000-121-0x000001F56E650000-0x000001F56E652000-memory.dmpFilesize
8KB
-
memory/4000-119-0x000001F56E650000-0x000001F56E652000-memory.dmpFilesize
8KB
-
memory/4000-120-0x000001F56E650000-0x000001F56E652000-memory.dmpFilesize
8KB
-
memory/4000-118-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/4000-116-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB
-
memory/4000-117-0x00007FFBD30C0000-0x00007FFBD30D0000-memory.dmpFilesize
64KB