Analysis
-
max time kernel
141s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-05-2020 18:31
Static task
static1
Behavioral task
behavioral1
Sample
legislate_05.27.2020.doc
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
legislate_05.27.2020.doc
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
legislate_05.27.2020.doc
-
Size
73KB
-
MD5
44cc5fae2c2016f5d444fc53d42a49ca
-
SHA1
b524d88fc10b401530f2608810ec0e4ce883cf76
-
SHA256
d76bdd6ea01c66c323dcc781e1d4a4e7470337f72aeedfd5b184fee9c97ca953
-
SHA512
81ba7f9e0135232d1e72ea6e05eeaa8edfd87e541420d188b6923221eb1e6dcb2ffe90bbecd11ed652afedcb12b7f607788ad8cca014445df1a809a277772abc
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1092 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1040 1092 Regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1092 wrote to memory of 1040 1092 WINWORD.EXE Regsvr32.exe PID 1092 wrote to memory of 1040 1092 WINWORD.EXE Regsvr32.exe PID 1092 wrote to memory of 1040 1092 WINWORD.EXE Regsvr32.exe PID 1092 wrote to memory of 1040 1092 WINWORD.EXE Regsvr32.exe PID 1092 wrote to memory of 1040 1092 WINWORD.EXE Regsvr32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Regsvr32.exepid process 1040 Regsvr32.exe -
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate_05.27.2020.doc"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Regsvr32.exeRegsvr32 c:\programdata\45628125.dat2⤵
- Process spawned unexpected child process
- Suspicious behavior: GetForegroundWindowSpam