Overview
overview
10Static
static
102eeedb8129...a1.exe
windows7-x64
102eeedb8129...a1.exe
windows10-2004-x64
1068f3f6a8e2...67.elf
ubuntu-22.04-amd64
176a5d5651a...67b.js
windows7-x64
876a5d5651a...67b.js
windows10-2004-x64
88be322fd53...98.vbs
windows7-x64
88be322fd53...98.vbs
windows10-2004-x64
892e0a7687d...35.exe
windows7-x64
1092e0a7687d...35.exe
windows10-2004-x64
10967059c927...af.rtf
windows7-x64
8967059c927...af.rtf
windows10-2004-x64
1a9fef3bf43...96.exe
windows7-x64
10a9fef3bf43...96.exe
windows10-2004-x64
10bbb50d99d2...1d5.js
windows7-x64
8bbb50d99d2...1d5.js
windows10-2004-x64
8Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 18:18
Behavioral task
behavioral1
Sample
2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2eeedb8129877d2cff8bfca258974786448f4babb12a1e44651735e675f09ca1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
68f3f6a8e2c034cfa63a5083aa214e6973ec425313e52d78ce5f4360e00d9867.elf
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral4
Sample
76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
76a5d5651a6bb05f67e88fb646e969963c8f3baeda763a86649d4cd2f2ff967b.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs
Resource
win7-20241010-en
Behavioral task
behavioral7
Sample
8be322fd5399068e2db918866ec0011882c308226f9c8065df643dbcd4d7e998.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
92e0a7687dbabbecadf58d3f706e383909637c8ea4b0f49824f4c3929ff53435.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
a9fef3bf43ae17b1ea2361ea59c5584caf762bd450dc8f120fdbf7f9fe523e96.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js
Resource
win7-20241023-en
Behavioral task
behavioral15
Sample
bbb50d99d2286fd78099998d4b3f17e441927cfa1e3951893e7acecf77fee1d5.js
Resource
win10v2004-20241007-en
General
-
Target
967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf
-
Size
4KB
-
MD5
2d6060a66195cf2a68d79606b5eae8f8
-
SHA1
426a17bf4ec7f5eb61ca038032fdea22ec401379
-
SHA256
967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af
-
SHA512
55f0c46bd8fa99604238b06e5bd8737574d69f12b6e52adc3b253805952616f3e7da0a7aa179c1a8bd1d3b07fcab1a49ddd4bbd057c34ca8fb957c78b8269754
-
SSDEEP
96:QLl3HYpkWq2Ngv+yp5UglURVkFvHADrseco7VLo6EEGrvJAt5PbANI:iloisN6p59loSFCsA7VREEGrRQ5PbAu
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 2884 EQNEDT32.EXE 5 2884 EQNEDT32.EXE 7 2884 EQNEDT32.EXE 8 2884 EQNEDT32.EXE 9 2884 EQNEDT32.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2884 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2472 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2472 WINWORD.EXE 2472 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2304 2472 WINWORD.EXE 32 PID 2472 wrote to memory of 2304 2472 WINWORD.EXE 32 PID 2472 wrote to memory of 2304 2472 WINWORD.EXE 32 PID 2472 wrote to memory of 2304 2472 WINWORD.EXE 32
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\967059c927f066a79905cf5a2f99562ca72409238322098e8ac93c905e75a1af.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2304
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2884