Analysis
-
max time kernel
242s -
max time network
276s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 15:11
Behavioral task
behavioral1
Sample
legislate_010.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
legislate_010.21.doc
Resource
win10-en-20210920
General
-
Target
legislate_010.21.doc
-
Size
70KB
-
MD5
61175a4989e7385ced2c1bfc25475fa3
-
SHA1
a483c693d5e6051c424b89a0c5f8dc9b74ddda00
-
SHA256
c59af94345b6590f1027e9e3de115c410972deb01a2e3754aaca9485fda96382
-
SHA512
4dc66db87e84ad33fbe0418e38ec534a35a2b02a6648d5bf49269087a1de49adc12f8ce74bfe0379998148f93288c1c751f217cb47c4630294e8734dbee2e034
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1628 1972 mshta.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 7 1628 mshta.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1972 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1972 WINWORD.EXE 1972 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WINWORD.EXEdescription pid process target process PID 1972 wrote to memory of 1628 1972 WINWORD.EXE mshta.exe PID 1972 wrote to memory of 1628 1972 WINWORD.EXE mshta.exe PID 1972 wrote to memory of 1628 1972 WINWORD.EXE mshta.exe PID 1972 wrote to memory of 1628 1972 WINWORD.EXE mshta.exe PID 1972 wrote to memory of 1220 1972 WINWORD.EXE splwow64.exe PID 1972 wrote to memory of 1220 1972 WINWORD.EXE splwow64.exe PID 1972 wrote to memory of 1220 1972 WINWORD.EXE splwow64.exe PID 1972 wrote to memory of 1220 1972 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate_010.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\loveLineSea.hta"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\loveLineSea.htaMD5
c6e6ea84c99a481d69064b542e8f51eb
SHA1271ddc8241181743b544d854a82c34abfa673817
SHA2563358c103d0f474762b2f075933e7e56827e7aa11a1ae5f62e6a932366570afa1
SHA512c3678f8d56e2d2088da3a410f7f13249d9ffb31f26c06131d93124ff728b93a7c378eca1968299375683a912270a46bdb0461fdf215680dbfec35381a19ace2d
-
memory/1220-71-0x0000000000000000-mapping.dmp
-
memory/1220-72-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1628-68-0x0000000000000000-mapping.dmp
-
memory/1972-61-0x0000000070831000-0x0000000070833000-memory.dmpFilesize
8KB
-
memory/1972-60-0x0000000072DB1000-0x0000000072DB4000-memory.dmpFilesize
12KB
-
memory/1972-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1972-63-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1972-64-0x00000000006F6000-0x00000000006FA000-memory.dmpFilesize
16KB
-
memory/1972-65-0x00000000006F6000-0x00000000006FA000-memory.dmpFilesize
16KB
-
memory/1972-66-0x00000000006F6000-0x00000000006FA000-memory.dmpFilesize
16KB
-
memory/1972-67-0x00000000006F6000-0x00000000006FA000-memory.dmpFilesize
16KB