c59af94345b6590f1027e9e3de115c410972deb01a2e3754aaca9485fda96382

General

Target

legislate_010.21.doc
Size

70KB
MD5

61175a4989e7385ced2c1bfc25475fa3
SHA1

a483c693d5e6051c424b89a0c5f8dc9b74ddda00
SHA256

c59af94345b6590f1027e9e3de115c410972deb01a2e3754aaca9485fda96382
SHA512

4dc66db87e84ad33fbe0418e38ec534a35a2b02a6648d5bf49269087a1de49adc12f8ce74bfe0379998148f93288c1c751f217cb47c4630294e8734dbee2e034

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3832	1720	mshta.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

38 3832 mshta.exe

flow	pid	process
38	3832	mshta.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
1720 WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXE

pid	process
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1720 wrote to memory of 3832	1720	WINWORD.EXE	mshta.exe
PID 1720 wrote to memory of 3832	1720	WINWORD.EXE	mshta.exe
PID 1720 wrote to memory of 3832	1720	WINWORD.EXE	mshta.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legislate_010.21.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\loveLineSea.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\loveLineSea.hta
MD5
c6e6ea84c99a481d69064b542e8f51eb

SHA1
271ddc8241181743b544d854a82c34abfa673817

SHA256
3358c103d0f474762b2f075933e7e56827e7aa11a1ae5f62e6a932366570afa1

SHA512
c3678f8d56e2d2088da3a410f7f13249d9ffb31f26c06131d93124ff728b93a7c378eca1968299375683a912270a46bdb0461fdf215680dbfec35381a19ace2d

Download Submit
memory/1720-115-0x00007FFE96460000-0x00007FFE96470000-memory.dmp

Filesize
64KB

Download
memory/1720-116-0x00007FFE96460000-0x00007FFE96470000-memory.dmp

Filesize
64KB

Download
memory/1720-118-0x00007FFE96460000-0x00007FFE96470000-memory.dmp

Filesize
64KB

Download
memory/1720-117-0x00007FFE96460000-0x00007FFE96470000-memory.dmp

Filesize
64KB

Download
memory/1720-119-0x000002303E0D0000-0x000002303E0D2000-memory.dmp

Filesize
8KB

Download
memory/1720-120-0x000002303E0D0000-0x000002303E0D2000-memory.dmp

Filesize
8KB

Download
memory/1720-121-0x00007FFE96460000-0x00007FFE96470000-memory.dmp

Filesize
64KB

Download
memory/1720-122-0x000002303E0D0000-0x000002303E0D2000-memory.dmp

Filesize
8KB

Download
memory/3832-270-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads