ff221c26a6ad233a179ede24b8156649e2e4338af867571943a2f114650bffa2

Resubmissions

04-11-2024 10:50

241104-mxgdbsyfmh 10

04-11-2024 10:46

241104-mvgajszamq 8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ_PO_091232.rtf
Size

825KB
MD5

666036634de5de5ff28819cec19299f3
SHA1

4cb3fb08d6a173e1526f48d1d4237c29f9a49f5f
SHA256

ff221c26a6ad233a179ede24b8156649e2e4338af867571943a2f114650bffa2
SHA512

6f8ede92bcc457c2bc07f3ad15a33799d288b4eb6d56f1b8b44517c36373d35a4fe1e4804e90f5069ccfa400731cd172997ac23a154cbf3640fe5da355fb8eac
SSDEEP

6144:HcwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAjjFkYwsQ+jGnThT:2

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow	pid	Process
3	2788	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1300	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

jequduhalcat.exejequduhalcat.exejequduhalcat.exejequduhalcat.exejequduhalcat.exejequduhalcat.exe

pid	Process
2752	jequduhalcat.exe
608	jequduhalcat.exe
2088	jequduhalcat.exe
2900	jequduhalcat.exe
2192	jequduhalcat.exe
2912	jequduhalcat.exe

Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid	Process
2788	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeWINWORD.EXEEQNEDT32.EXEjequduhalcat.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jequduhalcat.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

Processes:

EQNEDT32.EXE

pid	Process
2788	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2196	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

jequduhalcat.exepowershell.exe

pid	Process
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
2752	jequduhalcat.exe
1300	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jequduhalcat.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2752	jequduhalcat.exe
Token: SeDebugPrivilege	1300	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2196	WINWORD.EXE
2196	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEjequduhalcat.exe

description	pid	Process	procid_target
PID 2788 wrote to memory of 2752	2788	EQNEDT32.EXE	31
PID 2788 wrote to memory of 2752	2788	EQNEDT32.EXE	31
PID 2788 wrote to memory of 2752	2788	EQNEDT32.EXE	31
PID 2788 wrote to memory of 2752	2788	EQNEDT32.EXE	31
PID 2196 wrote to memory of 1684	2196	WINWORD.EXE	33
PID 2196 wrote to memory of 1684	2196	WINWORD.EXE	33
PID 2196 wrote to memory of 1684	2196	WINWORD.EXE	33
PID 2196 wrote to memory of 1684	2196	WINWORD.EXE	33
PID 2752 wrote to memory of 1300	2752	jequduhalcat.exe	34
PID 2752 wrote to memory of 1300	2752	jequduhalcat.exe	34
PID 2752 wrote to memory of 1300	2752	jequduhalcat.exe	34
PID 2752 wrote to memory of 1300	2752	jequduhalcat.exe	34
PID 2752 wrote to memory of 608	2752	jequduhalcat.exe	36
PID 2752 wrote to memory of 608	2752	jequduhalcat.exe	36
PID 2752 wrote to memory of 608	2752	jequduhalcat.exe	36
PID 2752 wrote to memory of 608	2752	jequduhalcat.exe	36
PID 2752 wrote to memory of 2088	2752	jequduhalcat.exe	37
PID 2752 wrote to memory of 2088	2752	jequduhalcat.exe	37
PID 2752 wrote to memory of 2088	2752	jequduhalcat.exe	37
PID 2752 wrote to memory of 2088	2752	jequduhalcat.exe	37
PID 2752 wrote to memory of 2900	2752	jequduhalcat.exe	38
PID 2752 wrote to memory of 2900	2752	jequduhalcat.exe	38
PID 2752 wrote to memory of 2900	2752	jequduhalcat.exe	38
PID 2752 wrote to memory of 2900	2752	jequduhalcat.exe	38
PID 2752 wrote to memory of 2912	2752	jequduhalcat.exe	39
PID 2752 wrote to memory of 2912	2752	jequduhalcat.exe	39
PID 2752 wrote to memory of 2912	2752	jequduhalcat.exe	39
PID 2752 wrote to memory of 2912	2752	jequduhalcat.exe	39
PID 2752 wrote to memory of 2192	2752	jequduhalcat.exe	40
PID 2752 wrote to memory of 2192	2752	jequduhalcat.exe	40
PID 2752 wrote to memory of 2192	2752	jequduhalcat.exe	40
PID 2752 wrote to memory of 2192	2752	jequduhalcat.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ_PO_091232.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1684

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\jequduhalcat.exe
  "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- - C:\Users\Admin\AppData\Roaming\jequduhalcat.exe
    "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
    3⤵
    - Executes dropped EXE
    PID:608
- - C:\Users\Admin\AppData\Roaming\jequduhalcat.exe
    "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Roaming\jequduhalcat.exe
    "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Users\Admin\AppData\Roaming\jequduhalcat.exe
    "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Users\Admin\AppData\Roaming\jequduhalcat.exe
    "C:\Users\Admin\AppData\Roaming\jequduhalcat.exe"
    3⤵
    - Executes dropped EXE
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\jequduhalcat.exe

Filesize
720KB

MD5
782965f857a2c2dbc179b7e016386f61

SHA1
3d16a97e2733daa4c2313035e134e763497bb948

SHA256
2634af4fb7d0c056e1f96809592bfcd3ee9f3fedf0ad52f9340b67d3b67d9f0a

SHA512
a1c98f6c20b9b5692069ac79d43ed06481faf963da10ad24b83bf4d76c44db2fca87e5237205be1767b83781ea63e0d8993dfc86bb08743e6756482771e01272

Download Submit
memory/2196-0-0x000000002FFA1000-0x000000002FFA2000-memory.dmp

Filesize
4KB

Download
memory/2196-2-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/2196-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2196-21-0x0000000070B4D000-0x0000000070B58000-memory.dmp

Filesize
44KB

Download
memory/2752-13-0x000000006ACFE000-0x000000006ACFF000-memory.dmp

Filesize
4KB

Download
memory/2752-15-0x0000000000380000-0x000000000043A000-memory.dmp

Filesize
744KB

Download
memory/2752-20-0x0000000000830000-0x000000000084C000-memory.dmp

Filesize
112KB

Download
memory/2752-22-0x000000006ACFE000-0x000000006ACFF000-memory.dmp

Filesize
4KB

Download
memory/2752-23-0x00000000002C0000-0x000000000033A000-memory.dmp

Filesize
488KB

Download