07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8

Analysis

max time kernel
101s
max time network
29s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 05:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc0b1bf6acbc5bf74687b41539a2f5f2.rtf
Size

183KB
MD5

cc0b1bf6acbc5bf74687b41539a2f5f2
SHA1

d00f6f1e88dbf44138b6567663e04fc1a891c897
SHA256

07a74ba9028da2e0dff7ffb089b57d62443d7799e6d0cf8383e3e04959aad3b8
SHA512

21b04aabdf131140d382f91877de1776d7dfc4216a2fb285bfcf5d04e434ef3660baa1c201cd7262a497335b93e71e5f100b658cc4c4e2a69eb1372a3113eff3
SSDEEP

3072:gA/ssVro41nt9Y4KELzWGFAACFEF1lyE8DXSuM3D1lADmRLYe7oX:gSsUMmXY66GAACFEF1lyIuGD1lHaecX

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	840	EQNEDT32.EXE
5	2764	WScript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
840	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2028	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	WINWORD.EXE
2028	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2764	840	EQNEDT32.EXE	30
PID 840 wrote to memory of 2764	840	EQNEDT32.EXE	30
PID 840 wrote to memory of 2764	840	EQNEDT32.EXE	30
PID 840 wrote to memory of 2764	840	EQNEDT32.EXE	30
PID 2028 wrote to memory of 2528	2028	WINWORD.EXE	32
PID 2028 wrote to memory of 2528	2028	WINWORD.EXE	32
PID 2028 wrote to memory of 2528	2028	WINWORD.EXE	32
PID 2028 wrote to memory of 2528	2028	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\cc0b1bf6acbc5bf74687b41539a2f5f2.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2528

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\freesweetkissingmetoyo.vBS"
  2⤵
  - Blocklisted process makes network request
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
60e95e3eeed36dcb85908efe199a6545

SHA1
4efd11495cf64deecd2ed919e5e57dceeddf5a54

SHA256
c23c3781f9874e39019488b5f45afca87f9b2d7fc8dc856b0be9bcb244825df8

SHA512
5b9dca0894977417d59ec1d924e1cce25ddef30b73e9c07d5fe7f818f0330e2a228c10107255f89088b0dda73cb5b14d684dfef5637d78e237c372cb146a6357

Download Submit
C:\Users\Admin\AppData\Roaming\freesweetkissingmetoyo.vBS

Filesize
3KB

MD5
3a662677ada03eb1a708ef22c80fe3b2

SHA1
6f62abdbdf9a08a1148896839fda2d47c2c4a61e

SHA256
6a7d7572caa34b9dbbeb496b94c8b7deafbc6de0bdf30673e421d06a8fba75e5

SHA512
f631be8c4ecaa2678586696076451f898b5167c072e19929a7902cedbb35c20a09f2c91b829ce06c8f472b8817ebf9f516ae53a8d72cbbe45ea17a6b4e329d00

Download Submit
memory/2028-0-0x000000002FAC1000-0x000000002FAC2000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-2-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2028-12-0x00000000715FD000-0x0000000071608000-memory.dmp

Filesize
44KB

Download
memory/2028-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download