Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-05-2020 18:31
Static task
static1
Behavioral task
behavioral1
Sample
legislate_05.27.2020.doc
Resource
win7v200430
Behavioral task
behavioral2
Sample
legislate_05.27.2020.doc
Resource
win10v200430
General
-
Target
legislate_05.27.2020.doc
-
Size
73KB
-
MD5
44cc5fae2c2016f5d444fc53d42a49ca
-
SHA1
b524d88fc10b401530f2608810ec0e4ce883cf76
-
SHA256
d76bdd6ea01c66c323dcc781e1d4a4e7470337f72aeedfd5b184fee9c97ca953
-
SHA512
81ba7f9e0135232d1e72ea6e05eeaa8edfd87e541420d188b6923221eb1e6dcb2ffe90bbecd11ed652afedcb12b7f607788ad8cca014445df1a809a277772abc
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
Regsvr32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 4024 1628 Regsvr32.exe WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1628 wrote to memory of 4024 1628 WINWORD.EXE Regsvr32.exe PID 1628 wrote to memory of 4024 1628 WINWORD.EXE Regsvr32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
WINWORD.EXEpid process 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE 1628 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1628 WINWORD.EXE 1628 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate_05.27.2020.doc" /o ""1⤵
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SYSTEM32\Regsvr32.exeRegsvr32 c:\programdata\45628125.dat2⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1628-0-0x0000025762C30000-0x0000025762C35000-memory.dmpFilesize
20KB
-
memory/1628-1-0x0000025762C30000-0x0000025762C35000-memory.dmpFilesize
20KB
-
memory/1628-2-0x0000025762C2D000-0x0000025762C30000-memory.dmpFilesize
12KB
-
memory/1628-3-0x0000025762C30000-0x0000025762C35000-memory.dmpFilesize
20KB
-
memory/1628-4-0x0000025762CB0000-0x0000025762CB5000-memory.dmpFilesize
20KB