agenttesla | 63d81262d8b022c5c67b24e394a32037bc0cf41869444152c48ee204d84386a3

Analysis

max time kernel
101s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

transferencia.docx
Size

10KB
MD5

b71a4eadd0fa49510df132d011f6d736
SHA1

90b2734bd8f080838d401a25ed3fddec066b5c5f
SHA256

63d81262d8b022c5c67b24e394a32037bc0cf41869444152c48ee204d84386a3
SHA512

8d3c0dd8c30cabb702f012753966022bb7fb0745469c979c5f542d2c9daf0d95cbb7752fb7f3458054a4a44446dedf685e72e99bc5a6a1373561134261a56672
SSDEEP

192:ScIMmtP0xfUW70vG/b3kgOi4O7+us+1pReDnc378Vx6T:SPX+si10ni4O78yeDnM4VsT

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5851500456:AAGR5SiDXSkn8lCoZA-eArnoTA9CuFr-jC0/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1648 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1648	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\Common\Offline\Files\http://3323444111/O-O-OOO.DOC	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 4 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exe

pid process

864 vbc.exe
1708 vbc.exe
1012 vbc.exe
1092 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1648 EQNEDT32.EXE
1648 EQNEDT32.EXE
1648 EQNEDT32.EXE
1648 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
864	vbc.exe
1708	vbc.exe
1012	vbc.exe
1092	vbc.exe

pid	process
1648	EQNEDT32.EXE
1648	EQNEDT32.EXE
1648	EQNEDT32.EXE
1648	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org

flow	ioc
11	api.ipify.org
12	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 864 set thread context of 1092 864 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1648 EQNEDT32.EXE

description	pid	process	target process
PID 864 set thread context of 1092	864	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1648	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exepowershell.exe

pid process

864 vbc.exe
864 vbc.exe
864 vbc.exe
864 vbc.exe
1872 powershell.exe

pid	process
1980	WINWORD.EXE

pid	process
864	vbc.exe
864	vbc.exe
864	vbc.exe
864	vbc.exe
1872	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	864	vbc.exe
Token: SeDebugPrivilege	1092	vbc.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeShutdownPrivilege	1980	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1980 WINWORD.EXE
1980 WINWORD.EXE

pid	process
1980	WINWORD.EXE
1980	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1648 wrote to memory of 864	1648	EQNEDT32.EXE	vbc.exe
PID 1648 wrote to memory of 864	1648	EQNEDT32.EXE	vbc.exe
PID 1648 wrote to memory of 864	1648	EQNEDT32.EXE	vbc.exe
PID 1648 wrote to memory of 864	1648	EQNEDT32.EXE	vbc.exe
PID 1980 wrote to memory of 816	1980	WINWORD.EXE	splwow64.exe
PID 1980 wrote to memory of 816	1980	WINWORD.EXE	splwow64.exe
PID 1980 wrote to memory of 816	1980	WINWORD.EXE	splwow64.exe
PID 1980 wrote to memory of 816	1980	WINWORD.EXE	splwow64.exe
PID 864 wrote to memory of 1872	864	vbc.exe	powershell.exe
PID 864 wrote to memory of 1872	864	vbc.exe	powershell.exe
PID 864 wrote to memory of 1872	864	vbc.exe	powershell.exe
PID 864 wrote to memory of 1872	864	vbc.exe	powershell.exe
PID 864 wrote to memory of 1012	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1012	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1012	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1012	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1708	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1708	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1708	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1708	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe
PID 864 wrote to memory of 1092	864	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\transferencia.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:816

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\vbc.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1012

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1708

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
97291dacecc622180fe2ba4b556d33fc

SHA1
11b712a33d101a041fc72759677a89d374da4c7c

SHA256
889aeeaee3d49412efba19646f7c80701f57e881ef1b30d5a76b148d5b6a3d1c

SHA512
d4e13b640d12b7a6e5a0ab8abbd3c3dbae0280da2c070a033854070a872019aee40a3bc84fb9dc7e0b4c1b84ebe39cd2e1cd2284285c04685571640706375fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FD2FBED3-9BEC-4B38-A3C4-470CA7B44B63}.FSD
Filesize
128KB

MD5
8850f128d3d7512cb304cf14c0b1a95e

SHA1
fc1cc7ad7cf869c98ffb484492f0cddb032156e7

SHA256
ce9063df487d7dd3cb7373d3135f1dde243ad42e6a0c2595747e812e121b86de

SHA512
7142ab530c56dbecaf94e9add93d8783ee6fbdbe3ce99a346fbacc5a69633ef0e549ba6e932b51d3617de0e6190860982007a02c447a9212ef2408b473db8512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\O-O-OOO[1].doc
Filesize
14KB

MD5
7f0575ad2474f43d494f501f380e2421

SHA1
4ed0e1b0bbe26e18272867ee56135d0b6db8b1a7

SHA256
20df06eac0646a854a74337a706c39a5583f24f6bbd1836b344f5614a46a0e92

SHA512
87d7a008cf1a70c082475a846c829c7ffc56ae4302a8ccad434760851b09d85fb845e8c9c363b7d1a2a8cda52a6e5fe4276f5f2a5923a1e88a6709a3a1e95dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab45E9.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6BCA17FA-ADC3-4137-93D0-9BAF79F6BB62}
Filesize
128KB

MD5
357a200d2646f5f74bfd1f7f9f1c5501

SHA1
ff5d02a6baa19adc8ce9725ec07504fa151f5e96

SHA256
358a56981ff944d9ea9fb68f6bd140221e6b103172461bb9d9a91c5082ae24db

SHA512
b99106a8580a8e5e3af63792dcdd6a913e25c9f25e1399f623fa0c2800d28edf275aff94544d1a4e0d16f9bf23c294c1a99adb7302bfdfa27af9f112b11cdc41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
c21a2d63d59b6d9ff8076a796533ca2e

SHA1
d49b73d8188edafc23887847e0acbbec5154e24e

SHA256
df58eda2296ee80590d294acfc186102818be00f62259fcf70bbdea56b6d3fa0

SHA512
063d384f6830dd85f347c240f2a22f8ed6d34a459ab8705369f95d5e4aa0e10445ecc5e7cb84adf9cf5d3d1ed4df1b809968738d710f944b376dac6d8793aab8

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
\Users\Public\vbc.exe
Filesize
1.2MB

MD5
c3a5814b7c004f0a958c3da9d18d8d6a

SHA1
015e9b9a34e7c09beee480182dc3d5d292bedb35

SHA256
ecc2b212fb51d9d740f048286236846849658396bb8203b28957d5918a87f35b

SHA512
fed517bd8ec446fb2b4ea638daca2ae7481edf4798481562c7461ea5c8986c86923b541dc7b88238a4b48104368016ea9723fb21d0211cafa4f959a6ee5f7944

Download Submit
memory/864-151-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/864-158-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/864-159-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/864-160-0x0000000005ED0000-0x0000000005FC8000-memory.dmp

Filesize
992KB

Download
memory/864-161-0x0000000001E60000-0x0000000001ED4000-memory.dmp

Filesize
464KB

Download
memory/864-150-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/864-149-0x0000000000030000-0x0000000000160000-memory.dmp

Filesize
1.2MB

Download
memory/1092-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1092-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-177-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1092-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1092-201-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1092-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1872-178-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1980-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-228-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download