Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-09-2021 16:05
Behavioral task
behavioral1
Sample
legislate 09.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
legislate 09.21.doc
Resource
win10v20210408
General
-
Target
legislate 09.21.doc
-
Size
69KB
-
MD5
24001fc51ff0994fe9c43b4653918f5e
-
SHA1
ae3b0439ed5fc269887d0094c8afac934e7d8980
-
SHA256
f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
-
SHA512
28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 2640 808 explorer.exe WINWORD.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2204 1048 WerFault.exe mshta.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 808 WINWORD.EXE 808 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2204 WerFault.exe Token: SeBackupPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 2204 WerFault.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE 808 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
WINWORD.EXEexplorer.exedescription pid process target process PID 808 wrote to memory of 2640 808 WINWORD.EXE explorer.exe PID 808 wrote to memory of 2640 808 WINWORD.EXE explorer.exe PID 3820 wrote to memory of 1048 3820 explorer.exe mshta.exe PID 3820 wrote to memory of 1048 3820 explorer.exe mshta.exe PID 3820 wrote to memory of 1048 3820 explorer.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer caDePw.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 13203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caDePw.htaMD5
ce58d7ae8af9827a672b129d60c916d9
SHA1498a881eb9e1960793654c7afc9406193e7c8db0
SHA256b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84
SHA5127bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1
-
memory/808-117-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-352-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-114-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-119-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-118-0x00007FF9FEC10000-0x00007FFA01733000-memory.dmpFilesize
43.1MB
-
memory/808-122-0x000001BA86730000-0x000001BA8781E000-memory.dmpFilesize
16.9MB
-
memory/808-123-0x00007FF9F6AF0000-0x00007FF9F89E5000-memory.dmpFilesize
31.0MB
-
memory/808-355-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-115-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-354-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-116-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/808-353-0x00007FF9DCDF0000-0x00007FF9DCE00000-memory.dmpFilesize
64KB
-
memory/1048-259-0x0000000000000000-mapping.dmp
-
memory/2640-256-0x0000000000000000-mapping.dmp