Analysis
-
max time kernel
127s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-09-2021 16:05
Behavioral task
behavioral1
Sample
legislate 09.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
legislate 09.21.doc
Resource
win10v20210408
General
-
Target
legislate 09.21.doc
-
Size
69KB
-
MD5
24001fc51ff0994fe9c43b4653918f5e
-
SHA1
ae3b0439ed5fc269887d0094c8afac934e7d8980
-
SHA256
f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
-
SHA512
28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa
Malware Config
Extracted
trickbot
2000033
zem1
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1700 2000 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 1092 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1132 regsvr32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipecho.net -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2000 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2020 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2000 WINWORD.EXE 2000 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exedescription pid process target process PID 2000 wrote to memory of 1592 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1592 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1592 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1592 2000 WINWORD.EXE splwow64.exe PID 2000 wrote to memory of 1700 2000 WINWORD.EXE explorer.exe PID 2000 wrote to memory of 1700 2000 WINWORD.EXE explorer.exe PID 2000 wrote to memory of 1700 2000 WINWORD.EXE explorer.exe PID 2000 wrote to memory of 1700 2000 WINWORD.EXE explorer.exe PID 280 wrote to memory of 1092 280 explorer.exe mshta.exe PID 280 wrote to memory of 1092 280 explorer.exe mshta.exe PID 280 wrote to memory of 1092 280 explorer.exe mshta.exe PID 280 wrote to memory of 1092 280 explorer.exe mshta.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1092 wrote to memory of 1132 1092 mshta.exe regsvr32.exe PID 1132 wrote to memory of 2020 1132 regsvr32.exe wermgr.exe PID 1132 wrote to memory of 2020 1132 regsvr32.exe wermgr.exe PID 1132 wrote to memory of 2020 1132 regsvr32.exe wermgr.exe PID 1132 wrote to memory of 2020 1132 regsvr32.exe wermgr.exe PID 1132 wrote to memory of 2020 1132 regsvr32.exe wermgr.exe PID 1132 wrote to memory of 2020 1132 regsvr32.exe wermgr.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer caDePw.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\caDePw.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caDePw.htaMD5
ce58d7ae8af9827a672b129d60c916d9
SHA1498a881eb9e1960793654c7afc9406193e7c8db0
SHA256b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84
SHA5127bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1
-
\??\c:\users\public\caDePw.jpgMD5
a72b41be79e3fba13890f3487e6e794b
SHA1180ec439b27f512428550d3a199edcd013754602
SHA256b4095d1c356a145cca001102abd0ad719a1798594756d20e198f92a39ba21af7
SHA5124c21d93e14aea94afca3378b6adbddad2c0ddc579d1bf81e437da2b42d1228992ffe61532a3055af9e794144c3ff0f8f31aff9c9e297a0dba41d649af614a3d6
-
\Users\Public\caDePw.jpgMD5
a72b41be79e3fba13890f3487e6e794b
SHA1180ec439b27f512428550d3a199edcd013754602
SHA256b4095d1c356a145cca001102abd0ad719a1798594756d20e198f92a39ba21af7
SHA5124c21d93e14aea94afca3378b6adbddad2c0ddc579d1bf81e437da2b42d1228992ffe61532a3055af9e794144c3ff0f8f31aff9c9e297a0dba41d649af614a3d6
-
memory/1092-70-0x0000000000000000-mapping.dmp
-
memory/1132-82-0x00000000004F0000-0x0000000000501000-memory.dmpFilesize
68KB
-
memory/1132-83-0x00000000004E1000-0x00000000004E3000-memory.dmpFilesize
8KB
-
memory/1132-81-0x0000000000490000-0x00000000004D5000-memory.dmpFilesize
276KB
-
memory/1132-78-0x0000000000450000-0x0000000000488000-memory.dmpFilesize
224KB
-
memory/1132-76-0x0000000010000000-0x0000000010004000-memory.dmpFilesize
16KB
-
memory/1132-72-0x0000000000000000-mapping.dmp
-
memory/1592-63-0x0000000000000000-mapping.dmp
-
memory/1592-64-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1700-67-0x000000006BB11000-0x000000006BB13000-memory.dmpFilesize
8KB
-
memory/1700-65-0x0000000000000000-mapping.dmp
-
memory/2000-62-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/2000-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2000-60-0x00000000707D1000-0x00000000707D3000-memory.dmpFilesize
8KB
-
memory/2000-59-0x0000000072D51000-0x0000000072D54000-memory.dmpFilesize
12KB
-
memory/2000-87-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2020-84-0x0000000000000000-mapping.dmp
-
memory/2020-86-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/2020-85-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB