Analysis
-
max time kernel
101s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2023 12:34
Static task
static1
Behavioral task
behavioral1
Sample
transferencia.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
transferencia.docx
Resource
win10v2004-20230220-en
General
-
Target
transferencia.docx
-
Size
10KB
-
MD5
b71a4eadd0fa49510df132d011f6d736
-
SHA1
90b2734bd8f080838d401a25ed3fddec066b5c5f
-
SHA256
63d81262d8b022c5c67b24e394a32037bc0cf41869444152c48ee204d84386a3
-
SHA512
8d3c0dd8c30cabb702f012753966022bb7fb0745469c979c5f542d2c9daf0d95cbb7752fb7f3458054a4a44446dedf685e72e99bc5a6a1373561134261a56672
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4O7+us+1pReDnc378Vx6T:SPX+si10ni4O78yeDnM4VsT
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5851500456:AAGR5SiDXSkn8lCoZA-eArnoTA9CuFr-jC0/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1648 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\Common\Offline\Files\http://3323444111/O-O-OOO.DOC WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Executes dropped EXE 4 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exepid process 864 vbc.exe 1708 vbc.exe 1012 vbc.exe 1092 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1648 EQNEDT32.EXE 1648 EQNEDT32.EXE 1648 EQNEDT32.EXE 1648 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 864 set thread context of 1092 864 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepowershell.exepid process 864 vbc.exe 864 vbc.exe 864 vbc.exe 864 vbc.exe 1872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exevbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 864 vbc.exe Token: SeDebugPrivilege 1092 vbc.exe Token: SeDebugPrivilege 1872 powershell.exe Token: SeShutdownPrivilege 1980 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1648 wrote to memory of 864 1648 EQNEDT32.EXE vbc.exe PID 1648 wrote to memory of 864 1648 EQNEDT32.EXE vbc.exe PID 1648 wrote to memory of 864 1648 EQNEDT32.EXE vbc.exe PID 1648 wrote to memory of 864 1648 EQNEDT32.EXE vbc.exe PID 1980 wrote to memory of 816 1980 WINWORD.EXE splwow64.exe PID 1980 wrote to memory of 816 1980 WINWORD.EXE splwow64.exe PID 1980 wrote to memory of 816 1980 WINWORD.EXE splwow64.exe PID 1980 wrote to memory of 816 1980 WINWORD.EXE splwow64.exe PID 864 wrote to memory of 1872 864 vbc.exe powershell.exe PID 864 wrote to memory of 1872 864 vbc.exe powershell.exe PID 864 wrote to memory of 1872 864 vbc.exe powershell.exe PID 864 wrote to memory of 1872 864 vbc.exe powershell.exe PID 864 wrote to memory of 1012 864 vbc.exe vbc.exe PID 864 wrote to memory of 1012 864 vbc.exe vbc.exe PID 864 wrote to memory of 1012 864 vbc.exe vbc.exe PID 864 wrote to memory of 1012 864 vbc.exe vbc.exe PID 864 wrote to memory of 1708 864 vbc.exe vbc.exe PID 864 wrote to memory of 1708 864 vbc.exe vbc.exe PID 864 wrote to memory of 1708 864 vbc.exe vbc.exe PID 864 wrote to memory of 1708 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe PID 864 wrote to memory of 1092 864 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\transferencia.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\vbc.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD597291dacecc622180fe2ba4b556d33fc
SHA111b712a33d101a041fc72759677a89d374da4c7c
SHA256889aeeaee3d49412efba19646f7c80701f57e881ef1b30d5a76b148d5b6a3d1c
SHA512d4e13b640d12b7a6e5a0ab8abbd3c3dbae0280da2c070a033854070a872019aee40a3bc84fb9dc7e0b4c1b84ebe39cd2e1cd2284285c04685571640706375fd1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FD2FBED3-9BEC-4B38-A3C4-470CA7B44B63}.FSDFilesize
128KB
MD58850f128d3d7512cb304cf14c0b1a95e
SHA1fc1cc7ad7cf869c98ffb484492f0cddb032156e7
SHA256ce9063df487d7dd3cb7373d3135f1dde243ad42e6a0c2595747e812e121b86de
SHA5127142ab530c56dbecaf94e9add93d8783ee6fbdbe3ce99a346fbacc5a69633ef0e549ba6e932b51d3617de0e6190860982007a02c447a9212ef2408b473db8512
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\O-O-OOO[1].docFilesize
14KB
MD57f0575ad2474f43d494f501f380e2421
SHA14ed0e1b0bbe26e18272867ee56135d0b6db8b1a7
SHA25620df06eac0646a854a74337a706c39a5583f24f6bbd1836b344f5614a46a0e92
SHA51287d7a008cf1a70c082475a846c829c7ffc56ae4302a8ccad434760851b09d85fb845e8c9c363b7d1a2a8cda52a6e5fe4276f5f2a5923a1e88a6709a3a1e95dd4
-
C:\Users\Admin\AppData\Local\Temp\Cab45E9.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\{6BCA17FA-ADC3-4137-93D0-9BAF79F6BB62}Filesize
128KB
MD5357a200d2646f5f74bfd1f7f9f1c5501
SHA1ff5d02a6baa19adc8ce9725ec07504fa151f5e96
SHA256358a56981ff944d9ea9fb68f6bd140221e6b103172461bb9d9a91c5082ae24db
SHA512b99106a8580a8e5e3af63792dcdd6a913e25c9f25e1399f623fa0c2800d28edf275aff94544d1a4e0d16f9bf23c294c1a99adb7302bfdfa27af9f112b11cdc41
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5c21a2d63d59b6d9ff8076a796533ca2e
SHA1d49b73d8188edafc23887847e0acbbec5154e24e
SHA256df58eda2296ee80590d294acfc186102818be00f62259fcf70bbdea56b6d3fa0
SHA512063d384f6830dd85f347c240f2a22f8ed6d34a459ab8705369f95d5e4aa0e10445ecc5e7cb84adf9cf5d3d1ed4df1b809968738d710f944b376dac6d8793aab8
-
C:\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
C:\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
C:\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
C:\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
C:\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
C:\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
\Users\Public\vbc.exeFilesize
1.2MB
MD5c3a5814b7c004f0a958c3da9d18d8d6a
SHA1015e9b9a34e7c09beee480182dc3d5d292bedb35
SHA256ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b
SHA512fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944
-
memory/864-151-0x0000000000650000-0x0000000000666000-memory.dmpFilesize
88KB
-
memory/864-158-0x0000000004D60000-0x0000000004DA0000-memory.dmpFilesize
256KB
-
memory/864-159-0x0000000000670000-0x000000000067C000-memory.dmpFilesize
48KB
-
memory/864-160-0x0000000005ED0000-0x0000000005FC8000-memory.dmpFilesize
992KB
-
memory/864-161-0x0000000001E60000-0x0000000001ED4000-memory.dmpFilesize
464KB
-
memory/864-150-0x0000000004D60000-0x0000000004DA0000-memory.dmpFilesize
256KB
-
memory/864-149-0x0000000000030000-0x0000000000160000-memory.dmpFilesize
1.2MB
-
memory/1092-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1092-166-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1092-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1092-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1092-172-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1092-174-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1092-177-0x0000000004D80000-0x0000000004DC0000-memory.dmpFilesize
256KB
-
memory/1092-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1092-201-0x0000000004D80000-0x0000000004DC0000-memory.dmpFilesize
256KB
-
memory/1092-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1872-178-0x00000000026D0000-0x0000000002710000-memory.dmpFilesize
256KB
-
memory/1980-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1980-228-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB