f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70

General

Target

legislate 09.21.doc
Size

69KB
MD5

24001fc51ff0994fe9c43b4653918f5e
SHA1

ae3b0439ed5fc269887d0094c8afac934e7d8980
SHA256

f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
SHA512

28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1632	776	explorer.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

16 660 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
16	660	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

776 WINWORD.EXE
776 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXEexplorer.exemshta.exe

description	pid	process	target process
PID 776 wrote to memory of 1632	776	WINWORD.EXE	explorer.exe
PID 776 wrote to memory of 1632	776	WINWORD.EXE	explorer.exe
PID 2616 wrote to memory of 660	2616	explorer.exe	mshta.exe
PID 2616 wrote to memory of 660	2616	explorer.exe	mshta.exe
PID 2616 wrote to memory of 660	2616	explorer.exe	mshta.exe
PID 660 wrote to memory of 3404	660	mshta.exe	regsvr32.exe
PID 660 wrote to memory of 3404	660	mshta.exe	regsvr32.exe
PID 660 wrote to memory of 3404	660	mshta.exe	regsvr32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\explorer.exe
explorer caDePw.hta
2⤵
- Process spawned unexpected child process
PID:1632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\caDePw.jpg
3⤵
PID:3404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caDePw.hta
MD5
ce58d7ae8af9827a672b129d60c916d9

SHA1
498a881eb9e1960793654c7afc9406193e7c8db0

SHA256
b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84

SHA512
7bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1

Download Submit
\??\c:\users\public\caDePw.jpg
MD5
ad2372f8969c14ed5fb2a79b253c02cb

SHA1
35cee6b360c3e1689760ea7b84ea82cfb08d25f4

SHA256
1db3169007ffa529c4924d1d25458d365437029dcb9b3521787e44883513c20c

SHA512
fd6430478c55ba1d99e2d52b2500719181ffc1f4c475f14a38065856b594d52ee9e92d9431f7c06772c5de43549891da243879aac41d72e7af0f078268a484d5

Download Submit
memory/660-259-0x0000000000000000-mapping.dmp

Download
memory/776-119-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-116-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-118-0x00007FFDF8960000-0x00007FFDFB483000-memory.dmp

Filesize
43.1MB

Download
memory/776-122-0x00007FFDF4E90000-0x00007FFDF5F7E000-memory.dmp

Filesize
16.9MB

Download
memory/776-123-0x00007FFDF2250000-0x00007FFDF4145000-memory.dmp

Filesize
31.0MB

Download
memory/776-366-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-117-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-114-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-365-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-115-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-363-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/776-364-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp

Filesize
64KB

Download
memory/1632-256-0x0000000000000000-mapping.dmp

Download
memory/3404-287-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads