Analysis
-
max time kernel
252s -
max time network
373s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-09-2021 16:55
Behavioral task
behavioral1
Sample
legislate 09.21.doc
Resource
win7-en
Behavioral task
behavioral2
Sample
legislate 09.21.doc
Resource
win10v20210408
General
-
Target
legislate 09.21.doc
-
Size
69KB
-
MD5
24001fc51ff0994fe9c43b4653918f5e
-
SHA1
ae3b0439ed5fc269887d0094c8afac934e7d8980
-
SHA256
f0fc164d92dfb1e3890153984d931ced828bb68b7aa6126980aded29720aea70
-
SHA512
28c8d747b8e8d8629c192501cc418e42cf4fce94d77f03c67431bb985c48b152763afde1b178778b71dababe6a47a625c13cad3b865465b935866b5bf0df42fa
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 1632 776 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 16 660 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 776 WINWORD.EXE 776 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE 776 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exedescription pid process target process PID 776 wrote to memory of 1632 776 WINWORD.EXE explorer.exe PID 776 wrote to memory of 1632 776 WINWORD.EXE explorer.exe PID 2616 wrote to memory of 660 2616 explorer.exe mshta.exe PID 2616 wrote to memory of 660 2616 explorer.exe mshta.exe PID 2616 wrote to memory of 660 2616 explorer.exe mshta.exe PID 660 wrote to memory of 3404 660 mshta.exe regsvr32.exe PID 660 wrote to memory of 3404 660 mshta.exe regsvr32.exe PID 660 wrote to memory of 3404 660 mshta.exe regsvr32.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate 09.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer caDePw.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\caDePw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\caDePw.jpg3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\caDePw.htaMD5
ce58d7ae8af9827a672b129d60c916d9
SHA1498a881eb9e1960793654c7afc9406193e7c8db0
SHA256b9e0a85002d438f8a8a9e13583324dfbe4b05cffcc07cc889dcc0fd9dd85ad84
SHA5127bbe178df4f37dcadb4f90db2edb5d5b502ef36bf1a1a9cfc33ac4f0229faf5d10399a365010943ebb5411361de360a1e3cb54ba7d658b27fde686dc931f7cb1
-
\??\c:\users\public\caDePw.jpgMD5
ad2372f8969c14ed5fb2a79b253c02cb
SHA135cee6b360c3e1689760ea7b84ea82cfb08d25f4
SHA2561db3169007ffa529c4924d1d25458d365437029dcb9b3521787e44883513c20c
SHA512fd6430478c55ba1d99e2d52b2500719181ffc1f4c475f14a38065856b594d52ee9e92d9431f7c06772c5de43549891da243879aac41d72e7af0f078268a484d5
-
memory/660-259-0x0000000000000000-mapping.dmp
-
memory/776-119-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-116-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-118-0x00007FFDF8960000-0x00007FFDFB483000-memory.dmpFilesize
43.1MB
-
memory/776-122-0x00007FFDF4E90000-0x00007FFDF5F7E000-memory.dmpFilesize
16.9MB
-
memory/776-123-0x00007FFDF2250000-0x00007FFDF4145000-memory.dmpFilesize
31.0MB
-
memory/776-366-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-117-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-114-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-365-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-115-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-363-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/776-364-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmpFilesize
64KB
-
memory/1632-256-0x0000000000000000-mapping.dmp
-
memory/3404-287-0x0000000000000000-mapping.dmp