agenttesla | faf71181b4aee21a871a05e74566356faca82201252d20cb3ef1cd75dcef2b16

Analysis

max time kernel
100s
max time network
44s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d3eb1a7c578f265ed939a163907172b0f2ff2f.rtf
Size

32KB
MD5

1c8dff1ba5adb253c975739d5d9efe57
SHA1

77d3eb1a7c578f265ed939a163907172b0f2ff2f
SHA256

faf71181b4aee21a871a05e74566356faca82201252d20cb3ef1cd75dcef2b16
SHA512

fb288e2829bb9a55fcca55029565000f3f9a69ad70a78285792a2b318f84fd56270221a96af9140427864e8c0cf5c2154de24d49ac5b2563ebcfb40573e07b64
SSDEEP

768:eWPFx0XaIsnPRIa4fwJMw9GeKjD6PNCL8yGSobsWcXcF:FPf0Xvx3EMwM6Kt6CcF

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.valvulasthermovalve.cl/
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1176	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
552	damianoyrer58.exe
1488	zlsuy.exe
824	zlsuy.exe

Loads dropped DLL 4 IoCs

pid	Process
1176	EQNEDT32.EXE
552	damianoyrer58.exe
552	damianoyrer58.exe
1488	zlsuy.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zlsuy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zlsuy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zlsuy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 824	1488	zlsuy.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1176	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
824	zlsuy.exe
824	zlsuy.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1488	zlsuy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	zlsuy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
940	WINWORD.EXE
940	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 552	1176	EQNEDT32.EXE	31
PID 1176 wrote to memory of 552	1176	EQNEDT32.EXE	31
PID 1176 wrote to memory of 552	1176	EQNEDT32.EXE	31
PID 1176 wrote to memory of 552	1176	EQNEDT32.EXE	31
PID 552 wrote to memory of 1488	552	damianoyrer58.exe	32
PID 552 wrote to memory of 1488	552	damianoyrer58.exe	32
PID 552 wrote to memory of 1488	552	damianoyrer58.exe	32
PID 552 wrote to memory of 1488	552	damianoyrer58.exe	32
PID 1488 wrote to memory of 824	1488	zlsuy.exe	36
PID 1488 wrote to memory of 824	1488	zlsuy.exe	36
PID 1488 wrote to memory of 824	1488	zlsuy.exe	36
PID 1488 wrote to memory of 824	1488	zlsuy.exe	36
PID 1488 wrote to memory of 824	1488	zlsuy.exe	36
PID 940 wrote to memory of 1452	940	WINWORD.EXE	38
PID 940 wrote to memory of 1452	940	WINWORD.EXE	38
PID 940 wrote to memory of 1452	940	WINWORD.EXE	38
PID 940 wrote to memory of 1452	940	WINWORD.EXE	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zlsuy.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zlsuy.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\77d3eb1a7c578f265ed939a163907172b0f2ff2f.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1452

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Roaming\damianoyrer58.exe
  "C:\Users\Admin\AppData\Roaming\damianoyrer58.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
    "C:\Users\Admin\AppData\Local\Temp\zlsuy.exe" C:\Users\Admin\AppData\Local\Temp\rtliuo.x
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\zlsuy.exe
      "C:\Users\Admin\AppData\Local\Temp\zlsuy.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rtliuo.x

Filesize
5KB

MD5
8d624e5504a97250b8c1fa3d83db0e05

SHA1
fcd8b4ed0aadb8bba9a9962995c668df218c27ed

SHA256
9e7bfd63c3bb515d1e3abd9ec89a70138f44fa94c53b2bc203586ed9d97187f6

SHA512
3e0679d03681f7caa77ebdbfa078a9713187be38d182abc12fa2d4e4de59821151ffe5b9d8961ee7445e50ad92a773105398ae9df29941d6dc1be66082363d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbritzpb.jl

Filesize
307KB

MD5
4a9d44158a7bfcd0fd1ec875ded60617

SHA1
b26e473baa2f5ca098dff6389482a90cb6856a8c

SHA256
1367c8b1b7bad04734a69fb76c8a42c39dbbdc102ac099a9584a8c56269c2b7f

SHA512
d281ea8025578040247ff783c9636dbc1f4c133b2fdbfbcc5edae9015189487637e596bf681761e870f6bb9e7efff778e1bb490d3c382406975e85aeeb15fdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlsuy.exe

Filesize
62KB

MD5
137d415fd4c0b0de1627cf9abf985ae5

SHA1
bf0c76fa80b800d94db48a1180d146cc2d26647f

SHA256
ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

SHA512
e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlsuy.exe

Filesize
62KB

MD5
137d415fd4c0b0de1627cf9abf985ae5

SHA1
bf0c76fa80b800d94db48a1180d146cc2d26647f

SHA256
ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

SHA512
e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlsuy.exe

Filesize
62KB

MD5
137d415fd4c0b0de1627cf9abf985ae5

SHA1
bf0c76fa80b800d94db48a1180d146cc2d26647f

SHA256
ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

SHA512
e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

Download Submit
C:\Users\Admin\AppData\Roaming\damianoyrer58.exe

Filesize
525KB

MD5
e2733a5dd19a546275fca8f958569312

SHA1
517fa0d68f0604508b3c65d36ab15114ccf9acc1

SHA256
5ace7702d0fa480105ae05c8edd6344513b3f911d4257a6dec9c123d66a8e594

SHA512
80ff304269a4df1118c889871240c1a4c9f2e5d7966644690ef1056d00662f040ea4352bcde3cdece65cf4e4a55e229c321567c705c96fd5ddaf2cfb70ceaafb

Download Submit
C:\Users\Admin\AppData\Roaming\damianoyrer58.exe

Filesize
525KB

MD5
e2733a5dd19a546275fca8f958569312

SHA1
517fa0d68f0604508b3c65d36ab15114ccf9acc1

SHA256
5ace7702d0fa480105ae05c8edd6344513b3f911d4257a6dec9c123d66a8e594

SHA512
80ff304269a4df1118c889871240c1a4c9f2e5d7966644690ef1056d00662f040ea4352bcde3cdece65cf4e4a55e229c321567c705c96fd5ddaf2cfb70ceaafb

Download Submit
\Users\Admin\AppData\Local\Temp\zlsuy.exe

Filesize
62KB

MD5
137d415fd4c0b0de1627cf9abf985ae5

SHA1
bf0c76fa80b800d94db48a1180d146cc2d26647f

SHA256
ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

SHA512
e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

Download Submit
\Users\Admin\AppData\Local\Temp\zlsuy.exe

Filesize
62KB

MD5
137d415fd4c0b0de1627cf9abf985ae5

SHA1
bf0c76fa80b800d94db48a1180d146cc2d26647f

SHA256
ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

SHA512
e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

Download Submit
\Users\Admin\AppData\Local\Temp\zlsuy.exe

Filesize
62KB

MD5
137d415fd4c0b0de1627cf9abf985ae5

SHA1
bf0c76fa80b800d94db48a1180d146cc2d26647f

SHA256
ae26439b268a3368f97b0086a66b87f171ab1195ab16bc5d7067366de3916c59

SHA512
e82a09b747d96a4fa88fad423093838408da82e4e51b3daa09a07cc8a387df16fcc87a34c7d860f66914c8134351c055e9f844ea4f52d01b11b88bed04eb8d4f

Download Submit
\Users\Admin\AppData\Roaming\damianoyrer58.exe

Filesize
525KB

MD5
e2733a5dd19a546275fca8f958569312

SHA1
517fa0d68f0604508b3c65d36ab15114ccf9acc1

SHA256
5ace7702d0fa480105ae05c8edd6344513b3f911d4257a6dec9c123d66a8e594

SHA512
80ff304269a4df1118c889871240c1a4c9f2e5d7966644690ef1056d00662f040ea4352bcde3cdece65cf4e4a55e229c321567c705c96fd5ddaf2cfb70ceaafb

Download Submit
memory/552-61-0x0000000000000000-mapping.dmp

Download
memory/824-74-0x0000000000401896-mapping.dmp

Download
memory/824-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/824-77-0x00000000003A0000-0x00000000003DA000-memory.dmp

Filesize
232KB

Download
memory/940-57-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/940-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/940-55-0x0000000070A51000-0x0000000070A53000-memory.dmp

Filesize
8KB

Download
memory/940-58-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/940-54-0x0000000072FD1000-0x0000000072FD4000-memory.dmp

Filesize
12KB

Download
memory/940-79-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/940-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/940-83-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/1452-80-0x0000000000000000-mapping.dmp

Download
memory/1452-81-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1488-67-0x0000000000000000-mapping.dmp

Download