Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 18:00
Static task
static1
Behavioral task
behavioral1
Sample
legislate,12.07.2020.doc
Resource
win7v20201028
General
-
Target
legislate,12.07.2020.doc
-
Size
76KB
-
MD5
b23c60eac13df90a50ebf0521a1bb1de
-
SHA1
bde39149016d4590565e7719fb5c40756c97385b
-
SHA256
ea85265f62418bd9f42f8fe23454517503eb7e29bc267a4e6526df8618c9039b
-
SHA512
d85e2667ce71d414768aba5d6a8e8a3e5bd73d286eed036ec8d142cdd19a2e37ad173ac18667a52dd614d7d5293e6a060bd5269a83e9f7a20970adea0bc11967
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3948 540 rundll32.exe WINWORD.EXE -
Blocklisted process makes network request 9 IoCs
Processes:
mshta.exerundll32.exeflow pid process 24 3176 mshta.exe 29 1312 rundll32.exe 31 1312 rundll32.exe 37 1312 rundll32.exe 39 1312 rundll32.exe 41 1312 rundll32.exe 43 1312 rundll32.exe 45 1312 rundll32.exe 47 1312 rundll32.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1312 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 540 WINWORD.EXE 540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1312 rundll32.exe 1312 rundll32.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE 540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXErundll32.exemshta.exedescription pid process target process PID 540 wrote to memory of 3948 540 WINWORD.EXE rundll32.exe PID 540 wrote to memory of 3948 540 WINWORD.EXE rundll32.exe PID 3948 wrote to memory of 3176 3948 rundll32.exe mshta.exe PID 3948 wrote to memory of 3176 3948 rundll32.exe mshta.exe PID 3948 wrote to memory of 3176 3948 rundll32.exe mshta.exe PID 3176 wrote to memory of 1312 3176 mshta.exe rundll32.exe PID 3176 wrote to memory of 1312 3176 mshta.exe rundll32.exe PID 3176 wrote to memory of 1312 3176 mshta.exe rundll32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate,12.07.2020.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" url.dll,OpenURL c:\users\public\index.hta2⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\index.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" c:\programdata\aWFPjN.pdf,ShowDialogA -r4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\index.htaMD5
52514804e042ebe0256a8671a7282552
SHA1401025bdbdedf098e2dcd6f4c597d5e091785be7
SHA25668745718c2ed1d006064a6c9f5ac15665ac7d6bc7420f8830abbb9be386cd144
SHA5124c34a26c379d168046a05a939a007bffc95be3da6b6fc3d63d1c4f10f6b00530327ee17ffabdc2bb32bdc7fd6af7e87a014892574e91a9b310991a647bb95597
-
\??\c:\programdata\aWFPjN.pdfMD5
4a3d84d60398b29997429bba3f8cede6
SHA17dbdd6217b8e8bffe74933cbe78b1519707be749
SHA256d9f091e9057fd799c5aabd9bc994d6b28208b23bd67cf4b310363e90232d96e4
SHA512a93ad38e85f6de8de420bd841c24c96e28f2d1076da86e29eff1059d3c0a06b28bbbbc786cc12b91558f2bb81eadca708be2b82bdde71838c1080d4d6a7351db
-
\ProgramData\aWFPjN.pdfMD5
4a3d84d60398b29997429bba3f8cede6
SHA17dbdd6217b8e8bffe74933cbe78b1519707be749
SHA256d9f091e9057fd799c5aabd9bc994d6b28208b23bd67cf4b310363e90232d96e4
SHA512a93ad38e85f6de8de420bd841c24c96e28f2d1076da86e29eff1059d3c0a06b28bbbbc786cc12b91558f2bb81eadca708be2b82bdde71838c1080d4d6a7351db
-
memory/540-2-0x00007FF805380000-0x00007FF8059B7000-memory.dmpFilesize
6.2MB
-
memory/1312-9-0x0000000000000000-mapping.dmp
-
memory/3176-8-0x0000000000000000-mapping.dmp
-
memory/3948-6-0x0000000000000000-mapping.dmp