Analysis
-
max time kernel
1776s -
max time network
1786s -
platform
windows7_x64 -
resource
win7-en -
submitted
13-09-2021 16:55
Behavioral task
behavioral1
Sample
legislate 09.21.doc
Resource
win7-en
Behavioral task
behavioral2
Sample
legislate 09.21.doc
Resource
win10v20210408
General
-
Target
legislate 09.21.doc
-
Size
69KB
-
MD5
24001fc51ff0994fe9c43b4653918f5e
-
SHA1
ae3b0439ed5fc269887d0094c8afac934e7d8980
-
SHA256
f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
-
SHA512
28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa
Malware Config
Extracted
trickbot
2000033
zem1
179.42.137.102:443
191.36.152.198:443
179.42.137.104:443
179.42.137.106:443
179.42.137.108:443
202.183.12.124:443
194.190.18.122:443
103.56.207.230:443
171.103.187.218:449
171.103.189.118:449
18.139.111.104:443
179.42.137.105:443
186.4.193.75:443
171.101.229.2:449
179.42.137.107:443
103.56.43.209:449
179.42.137.110:443
45.181.207.156:443
197.44.54.162:449
179.42.137.109:443
103.59.105.226:449
45.181.207.101:443
117.196.236.205:443
72.224.45.102:449
179.42.137.111:443
96.47.239.181:443
171.100.112.190:449
117.196.239.6:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 536 1960 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 7 572 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 760 regsvr32.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ident.me 15 ident.me -
Drops file in System32 directory 1 IoCs
Processes:
wermgr.exedescription ioc process File created C:\Windows\system32\cn\zlrkod.txt wermgr.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1888 ipconfig.exe -
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 1980 svchost.exe 632 svchost.exe 632 svchost.exe 1892 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1276 wermgr.exe Token: SeDebugPrivilege 1980 svchost.exe Token: SeDebugPrivilege 632 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1960 WINWORD.EXE 1960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exeregsvr32.exewermgr.exedescription pid process target process PID 1960 wrote to memory of 1660 1960 WINWORD.EXE splwow64.exe PID 1960 wrote to memory of 1660 1960 WINWORD.EXE splwow64.exe PID 1960 wrote to memory of 1660 1960 WINWORD.EXE splwow64.exe PID 1960 wrote to memory of 1660 1960 WINWORD.EXE splwow64.exe PID 1960 wrote to memory of 536 1960 WINWORD.EXE explorer.exe PID 1960 wrote to memory of 536 1960 WINWORD.EXE explorer.exe PID 1960 wrote to memory of 536 1960 WINWORD.EXE explorer.exe PID 1960 wrote to memory of 536 1960 WINWORD.EXE explorer.exe PID 1676 wrote to memory of 572 1676 explorer.exe mshta.exe PID 1676 wrote to memory of 572 1676 explorer.exe mshta.exe PID 1676 wrote to memory of 572 1676 explorer.exe mshta.exe PID 1676 wrote to memory of 572 1676 explorer.exe mshta.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 572 wrote to memory of 760 572 mshta.exe regsvr32.exe PID 760 wrote to memory of 1276 760 regsvr32.exe wermgr.exe PID 760 wrote to memory of 1276 760 regsvr32.exe wermgr.exe PID 760 wrote to memory of 1276 760 regsvr32.exe wermgr.exe PID 760 wrote to memory of 1276 760 regsvr32.exe wermgr.exe PID 760 wrote to memory of 1276 760 regsvr32.exe wermgr.exe PID 760 wrote to memory of 1276 760 regsvr32.exe wermgr.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe PID 1276 wrote to memory of 1980 1276 wermgr.exe svchost.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer caDePw.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\caDePw.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe/c ipconfig /all6⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all7⤵
- Gathers network information
-
C:\Windows\system32\cmd.exe/c net config workstation6⤵
-
C:\Windows\system32\net.exenet config workstation7⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation8⤵
-
C:\Windows\system32\cmd.exe/c net view /all6⤵
-
C:\Windows\system32\net.exenet view /all7⤵
- Discovers systems in the same network
-
C:\Windows\system32\cmd.exe/c net view /all /domain6⤵
-
C:\Windows\system32\net.exenet view /all /domain7⤵
- Discovers systems in the same network
-
C:\Windows\system32\cmd.exe/c nltest /domain_trusts6⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts7⤵
-
C:\Windows\system32\cmd.exe/c nltest /domain_trusts /all_trusts6⤵
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caDePw.htaMD5
ce58d7ae8af9827a672b129d60c916d9
SHA1498a881eb9e1960793654c7afc9406193e7c8db0
SHA256b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84
SHA5127bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1
-
\??\PIPE\browserMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\users\public\caDePw.jpgMD5
51cadb33db8286759383a1abe67977f4
SHA125322ee0e419802cd09b35a1d25c9b8a0583944a
SHA25661a2c852be95d33e301b61704853bee40419b973464628b64d2452cdecad5777
SHA512f2dacec3105af520713f05115e371fa9551819d7228677f392c77e5442c02f70afccd7ee952858ce0d85895364e8c47be15fe6ed7a8620b1cbe6e4e5b83c70d5
-
\Users\Public\caDePw.jpgMD5
51cadb33db8286759383a1abe67977f4
SHA125322ee0e419802cd09b35a1d25c9b8a0583944a
SHA25661a2c852be95d33e301b61704853bee40419b973464628b64d2452cdecad5777
SHA512f2dacec3105af520713f05115e371fa9551819d7228677f392c77e5442c02f70afccd7ee952858ce0d85895364e8c47be15fe6ed7a8620b1cbe6e4e5b83c70d5
-
memory/536-59-0x0000000000000000-mapping.dmp
-
memory/536-61-0x000000006B761000-0x000000006B763000-memory.dmpFilesize
8KB
-
memory/572-64-0x0000000000000000-mapping.dmp
-
memory/632-86-0x0000000000000000-mapping.dmp
-
memory/760-75-0x00000000004F0000-0x0000000000501000-memory.dmpFilesize
68KB
-
memory/760-74-0x0000000000610000-0x0000000000655000-memory.dmpFilesize
276KB
-
memory/760-71-0x00000000001D0000-0x0000000000208000-memory.dmpFilesize
224KB
-
memory/760-65-0x0000000000000000-mapping.dmp
-
memory/760-76-0x0000000000271000-0x0000000000273000-memory.dmpFilesize
8KB
-
memory/760-69-0x0000000010000000-0x0000000010004000-memory.dmpFilesize
16KB
-
memory/808-98-0x0000000000000000-mapping.dmp
-
memory/968-100-0x0000000000000000-mapping.dmp
-
memory/1276-78-0x0000000000060000-0x0000000000089000-memory.dmpFilesize
164KB
-
memory/1276-79-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1276-77-0x0000000000000000-mapping.dmp
-
memory/1340-106-0x0000000000000000-mapping.dmp
-
memory/1356-104-0x0000000000000000-mapping.dmp
-
memory/1404-99-0x0000000000000000-mapping.dmp
-
memory/1508-90-0x0000000000000000-mapping.dmp
-
memory/1516-107-0x0000000000000000-mapping.dmp
-
memory/1556-108-0x0000000000000000-mapping.dmp
-
memory/1660-58-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1660-57-0x0000000000000000-mapping.dmp
-
memory/1680-101-0x0000000000000000-mapping.dmp
-
memory/1756-109-0x0000000000000000-mapping.dmp
-
memory/1824-102-0x0000000000000000-mapping.dmp
-
memory/1888-97-0x0000000000000000-mapping.dmp
-
memory/1892-93-0x0000000180000000-0x000000018000A000-memory.dmpFilesize
40KB
-
memory/1892-92-0x0000000000000000-mapping.dmp
-
memory/1912-103-0x0000000000000000-mapping.dmp
-
memory/1960-53-0x0000000072AB1000-0x0000000072AB4000-memory.dmpFilesize
12KB
-
memory/1960-55-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1960-54-0x0000000070531000-0x0000000070533000-memory.dmpFilesize
8KB
-
memory/1960-80-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1960-56-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/1980-85-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1980-81-0x0000000000000000-mapping.dmp
-
memory/2032-96-0x0000000000000000-mapping.dmp