Overview

overview

10

Static

static

8

legislate_010.21.doc

windows7_x64

10

legislate_010.21.doc

windows10_x64

10

Analysis

  • max time kernel
    242s
  • max time network
    276s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-10-2021 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    legislate_010.21.doc

  • Size

    70KB

  • MD5

    61175a4989e7385ced2c1bfc25475fa3

  • SHA1

    a483c693d5e6051c424b89a0c5f8dc9b74ddda00

  • SHA256

    c59af94345b6590f1027e9e3de115c410972deb01a2e3754aaca9485fda96382

  • SHA512

    4dc66db87e84ad33fbe0418e38ec534a35a2b02a6648d5bf49269087a1de49adc12f8ce74bfe0379998148f93288c1c751f217cb47c4630294e8734dbee2e034

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate_010.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\loveLineSea.hta"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      PID:1628
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1220

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\users\public\loveLineSea.hta
      MD5

      c6e6ea84c99a481d69064b542e8f51eb

      SHA1

      271ddc8241181743b544d854a82c34abfa673817

      SHA256

      3358c103d0f474762b2f075933e7e56827e7aa11a1ae5f62e6a932366570afa1

      SHA512

      c3678f8d56e2d2088da3a410f7f13249d9ffb31f26c06131d93124ff728b93a7c378eca1968299375683a912270a46bdb0461fdf215680dbfec35381a19ace2d

      Download Submit
    • memory/1220-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1220-72-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1628-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-61-0x0000000070831000-0x0000000070833000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1972-60-0x0000000072DB1000-0x0000000072DB4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1972-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1972-63-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1972-64-0x00000000006F6000-0x00000000006FA000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1972-65-0x00000000006F6000-0x00000000006FA000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1972-66-0x00000000006F6000-0x00000000006FA000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1972-67-0x00000000006F6000-0x00000000006FA000-memory.dmp
      Filesize

      16KB

      Download