Overview

overview

8

Static

static

1

translate.rtf

windows7-x64

8

translate.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    1800s
  • max time network
    1803s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2023 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    translate.rtf

  • Size

    277KB

  • MD5

    92d994be99ea43c121ac4f4ddfacbf75

  • SHA1

    f14afd2856dab6183150f6e269f5bb6f4a2e3f50

  • SHA256

    180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69

  • SHA512

    15582d1abff3b31bbd0dce88a6460ead829946ec251872ad9ad68ea75789bae9a87edbdd2bdd095739fae06734dcf62a02d3a8331d034d41741c93487d27bc01

  • SSDEEP

    6144:HPALkJvxKZ1cQ4HbvOcwIOZLx0fVZiiGP4kz2Vo:HPALkJvE34H7bL44kSS

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\translate.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1076
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Launches Equation Editor
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {032F7FC9-7C49-46AC-B9E6-F2BE7FC95352} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6gt.b StartA
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2016
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6gt.b StartA
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Modifies system certificate store
          PID:896

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\858B74BA.wmf
      Filesize

      162B

      MD5

      975b76e8e77d57cc386af977a08b1e31

      SHA1

      cf893a58ef1a0f4a2f0ad3fe3a241c0c5bbcafa6

      SHA256

      8d80e9b9b39cd00f3bfadb3b2538dc46845fe8d0e7854d5dd9c9c381150dedad

      SHA512

      751eeec3defdc919d4afa72ca90df87649007cf189d5a6bb397a77a339cbd080f1203a67e37325e498375ae5838bb4184a00d4f2c0bff359c33e7f626d782e1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\c6gt.b
      Filesize

      119KB

      MD5

      09bf850be5da44a1c3629a1f62813a83

      SHA1

      a4e89d1f060e4dfd5f0fd4e7ba8be96967b39ac7

      SHA256

      21f173a347ed111ce67e4c0f2c0bd4ee34bb7ca765da03635ca5c0df394cd7e6

      SHA512

      744f45dfac55ed9e809492580f00bd518b520fddffb8181bdb9bb220244cf782ab81e8dd4cfa8b144d2ff8938b965c67dadc85c65e03ce1609523f44e1b0116d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      77ab648fb78de604e44ecf9299844ecb

      SHA1

      bb7ab7339bbf98512fda237288d689ba7a5e7fa1

      SHA256

      e66be5381ddb7272b38f4756bfbdd2352a0585d8a116d5d8766e4d85f9eaf51b

      SHA512

      2205a77ce95b2b225098ec9ab5b985c3ea0304a7db18845d4be913aa9bc79e414fdbd533f857d687153b1a9eb8f5bd1c6d4489754d7ee04aeec4f3611ee95be2

      Download Submit

    • \Users\Admin\AppData\Local\Temp\c6gt.b
      Filesize

      119KB

      MD5

      09bf850be5da44a1c3629a1f62813a83

      SHA1

      a4e89d1f060e4dfd5f0fd4e7ba8be96967b39ac7

      SHA256

      21f173a347ed111ce67e4c0f2c0bd4ee34bb7ca765da03635ca5c0df394cd7e6

      SHA512

      744f45dfac55ed9e809492580f00bd518b520fddffb8181bdb9bb220244cf782ab81e8dd4cfa8b144d2ff8938b965c67dadc85c65e03ce1609523f44e1b0116d

      Download Submit

    • memory/1668-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1668-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download