agenttesla | 172e6a908015dd956c606d2efa00ee8fe6ed43cd9000631dad346227e0ef5450

Analysis

max time kernel
102s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/02/2023, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER JF&I Packaging.rtf
Size

1.6MB
MD5

34abb90224f8b4fd057e8fa8f5a3eb0b
SHA1

8199cd6f8fba690059d7b8cac0627deba569d78b
SHA256

172e6a908015dd956c606d2efa00ee8fe6ed43cd9000631dad346227e0ef5450
SHA512

6606af8c45f342f9346820184fa0b920fd15d4e2475c90ddaedd60b67622d7ec7b9605ff5210dfd2eea3c068b6472d3bad43cff48f8821ae3533293aaf408305
SSDEEP

24576:XqG17EWl3Eq+1pQ3v3qb29mxmF2KXT4tFswg9ogPMGwJ8aswWVeq8smDiZvMCong:t

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cebc.eu
Port:
587
Username:
[email protected]
Password:
mprI?DOy1BX8
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1400	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1020	word.exe
856	xdsqimskb.exe
828	xdsqimskb.exe

Loads dropped DLL 3 IoCs

pid	Process
1400	EQNEDT32.EXE
1020	word.exe
856	xdsqimskb.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xdsqimskb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xdsqimskb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xdsqimskb.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 828	856	xdsqimskb.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1400	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1308	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
856	xdsqimskb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	828	xdsqimskb.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1308	WINWORD.EXE
1308	WINWORD.EXE
828	xdsqimskb.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1020	1400	EQNEDT32.EXE	31
PID 1400 wrote to memory of 1020	1400	EQNEDT32.EXE	31
PID 1400 wrote to memory of 1020	1400	EQNEDT32.EXE	31
PID 1400 wrote to memory of 1020	1400	EQNEDT32.EXE	31
PID 1020 wrote to memory of 856	1020	word.exe	32
PID 1020 wrote to memory of 856	1020	word.exe	32
PID 1020 wrote to memory of 856	1020	word.exe	32
PID 1020 wrote to memory of 856	1020	word.exe	32
PID 856 wrote to memory of 828	856	xdsqimskb.exe	34
PID 856 wrote to memory of 828	856	xdsqimskb.exe	34
PID 856 wrote to memory of 828	856	xdsqimskb.exe	34
PID 856 wrote to memory of 828	856	xdsqimskb.exe	34
PID 856 wrote to memory of 828	856	xdsqimskb.exe	34
PID 1308 wrote to memory of 1700	1308	WINWORD.EXE	37
PID 1308 wrote to memory of 1700	1308	WINWORD.EXE	37
PID 1308 wrote to memory of 1700	1308	WINWORD.EXE	37
PID 1308 wrote to memory of 1700	1308	WINWORD.EXE	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xdsqimskb.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xdsqimskb.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER JF&I Packaging.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1700

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Roaming\word.exe
  C:\Users\Admin\AppData\Roaming\word.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe
    "C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe" C:\Users\Admin\AppData\Local\Temp\zhrso.ch
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe
      "C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nzjvaocdswp.w

Filesize
262KB

MD5
b34b1abd10b2e214669c4fc5b2687f91

SHA1
08cfe82d4943819165bde21ed3f77add3c9f3efd

SHA256
108bfc0739f244559b1f2adc1d1bf0108780142a8eefff97f074d2db9356db99

SHA512
abcb3560e660148014c4f25992180d5a932bc7a198f46a6386dd6facaa357162d9deb4c0b9578c5e1feda6aeea03ed620b64256bb1aff93bb46a1a402f5ca681

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe

Filesize
129KB

MD5
2bf2ff48b1340de0372ba0ffce2120ce

SHA1
b9019661a13d8f6fb66face403ab6f77e64cbb4f

SHA256
b8e47489a449e0f30f89a21f1f3afac3bd6ec2a1a3dbe5b50fc612b87ab7aef1

SHA512
de1b3ba62664996a77eb4f713e2580a4036989bca446819a3e9fc3146f1321588d42f7c5a45f3d544b3337ffa6edd28d88c2e279110e40df0fa7ac8382316162

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe

Filesize
129KB

MD5
2bf2ff48b1340de0372ba0ffce2120ce

SHA1
b9019661a13d8f6fb66face403ab6f77e64cbb4f

SHA256
b8e47489a449e0f30f89a21f1f3afac3bd6ec2a1a3dbe5b50fc612b87ab7aef1

SHA512
de1b3ba62664996a77eb4f713e2580a4036989bca446819a3e9fc3146f1321588d42f7c5a45f3d544b3337ffa6edd28d88c2e279110e40df0fa7ac8382316162

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsqimskb.exe

Filesize
129KB

MD5
2bf2ff48b1340de0372ba0ffce2120ce

SHA1
b9019661a13d8f6fb66face403ab6f77e64cbb4f

SHA256
b8e47489a449e0f30f89a21f1f3afac3bd6ec2a1a3dbe5b50fc612b87ab7aef1

SHA512
de1b3ba62664996a77eb4f713e2580a4036989bca446819a3e9fc3146f1321588d42f7c5a45f3d544b3337ffa6edd28d88c2e279110e40df0fa7ac8382316162

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhrso.ch

Filesize
6KB

MD5
3f781b8dc99c36e499f4e475380a8814

SHA1
1c5983c8a2c465bf88f62a6def8d9474b8714552

SHA256
47d9b600b8588b342d5fcf1371895e6eda5028fce4501c1206939e61aacdf4ba

SHA512
7ee6de9d34c6739770ea6f14940a87440855ad4483355c4c0481774f8c47a506fe228aee3ccf07c5468481efbdb238d0e3007b9a3ed078e9c50e8372cb4b8497

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
525KB

MD5
b65bb32b79df8155ab362e98ce867bee

SHA1
afbd102a4efcace8032559aa245e8f24fe90cc37

SHA256
f08aeee18c0d5984b8bf83afe0d4c9048429b0ab06af794fd79eea2f80626f44

SHA512
67a614c4ffd9039bede6501a99c9a76802dc7defd26a484325e01b7b3391a6e09609501501a96b8cd0478b2c5108426a2048f61ca33cb0e47d853390928912f2

Download Submit
C:\Users\Admin\AppData\Roaming\word.exe

Filesize
525KB

MD5
b65bb32b79df8155ab362e98ce867bee

SHA1
afbd102a4efcace8032559aa245e8f24fe90cc37

SHA256
f08aeee18c0d5984b8bf83afe0d4c9048429b0ab06af794fd79eea2f80626f44

SHA512
67a614c4ffd9039bede6501a99c9a76802dc7defd26a484325e01b7b3391a6e09609501501a96b8cd0478b2c5108426a2048f61ca33cb0e47d853390928912f2

Download Submit
\Users\Admin\AppData\Local\Temp\xdsqimskb.exe

Filesize
129KB

MD5
2bf2ff48b1340de0372ba0ffce2120ce

SHA1
b9019661a13d8f6fb66face403ab6f77e64cbb4f

SHA256
b8e47489a449e0f30f89a21f1f3afac3bd6ec2a1a3dbe5b50fc612b87ab7aef1

SHA512
de1b3ba62664996a77eb4f713e2580a4036989bca446819a3e9fc3146f1321588d42f7c5a45f3d544b3337ffa6edd28d88c2e279110e40df0fa7ac8382316162

Download Submit
\Users\Admin\AppData\Local\Temp\xdsqimskb.exe

Filesize
129KB

MD5
2bf2ff48b1340de0372ba0ffce2120ce

SHA1
b9019661a13d8f6fb66face403ab6f77e64cbb4f

SHA256
b8e47489a449e0f30f89a21f1f3afac3bd6ec2a1a3dbe5b50fc612b87ab7aef1

SHA512
de1b3ba62664996a77eb4f713e2580a4036989bca446819a3e9fc3146f1321588d42f7c5a45f3d544b3337ffa6edd28d88c2e279110e40df0fa7ac8382316162

Download Submit
\Users\Admin\AppData\Roaming\word.exe

Filesize
525KB

MD5
b65bb32b79df8155ab362e98ce867bee

SHA1
afbd102a4efcace8032559aa245e8f24fe90cc37

SHA256
f08aeee18c0d5984b8bf83afe0d4c9048429b0ab06af794fd79eea2f80626f44

SHA512
67a614c4ffd9039bede6501a99c9a76802dc7defd26a484325e01b7b3391a6e09609501501a96b8cd0478b2c5108426a2048f61ca33cb0e47d853390928912f2

Download Submit
memory/828-75-0x0000000001E00000-0x0000000001E30000-memory.dmp

Filesize
192KB

Download
memory/828-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-55-0x0000000070601000-0x0000000070603000-memory.dmp

Filesize
8KB

Download
memory/1308-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1308-58-0x00000000715ED000-0x00000000715F8000-memory.dmp

Filesize
44KB

Download
memory/1308-54-0x0000000072B81000-0x0000000072B84000-memory.dmp

Filesize
12KB

Download
memory/1308-57-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1308-77-0x00000000715ED000-0x00000000715F8000-memory.dmp

Filesize
44KB

Download
memory/1308-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1308-81-0x00000000715ED000-0x00000000715F8000-memory.dmp

Filesize
44KB

Download
memory/1700-79-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download