Analysis
-
max time kernel
100s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-02-2023 20:03
Static task
static1
Behavioral task
behavioral1
Sample
3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc.docx
Resource
win10v2004-20230220-en
General
-
Target
3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc.docx
-
Size
10KB
-
MD5
b9571630868381221bee77b8fe5079ca
-
SHA1
12228855be9ea4783d1034678e00ddb51732d83b
-
SHA256
3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc
-
SHA512
209a9a056f36d3f709f5abeffcd33e6f918094921efc79c1deaede609e25b2fe752c60b3c86b0b6b61f0ff4365a8c45917343303bd4fa7d60762fc3d1287e897
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+l+CVWBXJC0c3uG/:SPXU/slT+LO+HkZC9N
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1884 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/c00----------------------------.DOC WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 2040 vbc.exe 2036 vbc.exe 1896 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1884 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe" vbc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 2040 set thread context of 1896 2040 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1368 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepowershell.exepid process 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 1828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exevbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2040 vbc.exe Token: SeDebugPrivilege 1896 vbc.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeShutdownPrivilege 1368 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1368 WINWORD.EXE 1368 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1884 wrote to memory of 2040 1884 EQNEDT32.EXE vbc.exe PID 1884 wrote to memory of 2040 1884 EQNEDT32.EXE vbc.exe PID 1884 wrote to memory of 2040 1884 EQNEDT32.EXE vbc.exe PID 1884 wrote to memory of 2040 1884 EQNEDT32.EXE vbc.exe PID 1368 wrote to memory of 656 1368 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 656 1368 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 656 1368 WINWORD.EXE splwow64.exe PID 1368 wrote to memory of 656 1368 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1828 2040 vbc.exe powershell.exe PID 2040 wrote to memory of 1828 2040 vbc.exe powershell.exe PID 2040 wrote to memory of 1828 2040 vbc.exe powershell.exe PID 2040 wrote to memory of 1828 2040 vbc.exe powershell.exe PID 2040 wrote to memory of 1304 2040 vbc.exe schtasks.exe PID 2040 wrote to memory of 1304 2040 vbc.exe schtasks.exe PID 2040 wrote to memory of 1304 2040 vbc.exe schtasks.exe PID 2040 wrote to memory of 1304 2040 vbc.exe schtasks.exe PID 2040 wrote to memory of 2036 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 2036 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 2036 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 2036 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe PID 2040 wrote to memory of 1896 2040 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\REqzovjc.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\REqzovjc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B15.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5cceda85ca4f61a123f20e68f9a6d9eec
SHA1ad864ce17485f21a0f67da0f27606470fa72f425
SHA25681b781fbe485e1ba16a666c700b26a80860b154731e060db0af3899dd7ac8e3c
SHA512d6126072a9053023ad1dc2ad9a1873c14c0e904402b0c4b0bbb206095dc45726d5698ede5847c9a4cfae600fd2417a94a90a4300fba3fb8c03384b2aa77f272f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8184F05D-8766-4D34-9C88-E04271D961FF}.FSDFilesize
128KB
MD5bffb9e3f0b00bdabc4c6770ea149939b
SHA11f47cb2fe544f1cb7002cc2f033b288cec8ceeb7
SHA2568379273413adf610df48b450fc82d45e0eaadabfe91dacbaeeb93ec1ceb2d746
SHA5129d50eb2cfbe17008f020f55f573bf43fd017356e48186ed49d9e82d489f2210c92c8a7795fe24a6d57bcf703e4325240ea7405e0361c52d147889f8a0c1590ed
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\c00----------------------------[1].docFilesize
14KB
MD5a0d3000e5792081fa970184fe592808f
SHA1551941fd7e55cb98ea3a2f315fabe1d2b0a0b935
SHA2567cee2955d8fee68f5501d86c84159f3e8cefcd52476a950a5712b84bbb1feedd
SHA512e64b08ff15d7c396304d167781555beb01fc47ba488ead5dd231d7166d67da0599c61d942cb1d9415469cd4e4e2c8cad46763df224ba02ebaeab629b008f2556
-
C:\Users\Admin\AppData\Local\Temp\tmp4B15.tmpFilesize
1KB
MD5e15df9083295825cc1217f058c813f24
SHA1a19bd1b82f06782200c9138dd2fd7cc037cbb590
SHA256701625d76fe7ee5ff2e2727ce1beb4d40254582114b08e190f17b39d2ccb47bc
SHA512bbf9210c5efd392e5d33fd910f74315b4bd26d89444242c227ab92033a8c964ae03dab777277efb168776abb1e289e8a7b18bb7a6ad6d5796e840920494a4d6f
-
C:\Users\Admin\AppData\Local\Temp\{D20DC5C2-43F4-401A-A6CE-B1226EE61069}Filesize
128KB
MD5ab3d598cca92d37825f4f4e0edef63d5
SHA1123a64c32448a108992dfe1beff9a0ff6c77b135
SHA256515f6a91c3a1178f3d5e117efce06f2307ff3fd1214bc6cf914aee19441e7e06
SHA512c3086f36c7678766312330cf1cb59c4e4a58efb1cb8cac3ee23269e3871ff98cf692ccc1672b7211185b84ba1f342d9fbf73a3c0f686001a6cff35d63ef40020
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD509e9be31027f9c793ccd497e4223441b
SHA1925a6bc0fb2d36b695ed5b6b5d19130b959ffe32
SHA2562164b48ba179eb55b6c9440d7a2ee19db886b4abd69b1964b74a1f4d50c0ac8e
SHA512505c3651f46eef23d0fe2b164b2bc97bf2d8c72aabd4839709d5c4f7bdc831c201471ebe07c267a1b6d83a0c17342a7e26a82915a265a51600d7b88bd243e3ff
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5a5e75f93a365f2f20438395c0949624d
SHA175a9d3e8faa58757a04a84ebf3def50357ac515e
SHA2560e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SHA512af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5a5e75f93a365f2f20438395c0949624d
SHA175a9d3e8faa58757a04a84ebf3def50357ac515e
SHA2560e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SHA512af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5a5e75f93a365f2f20438395c0949624d
SHA175a9d3e8faa58757a04a84ebf3def50357ac515e
SHA2560e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SHA512af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5a5e75f93a365f2f20438395c0949624d
SHA175a9d3e8faa58757a04a84ebf3def50357ac515e
SHA2560e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SHA512af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5a5e75f93a365f2f20438395c0949624d
SHA175a9d3e8faa58757a04a84ebf3def50357ac515e
SHA2560e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SHA512af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6
-
\Users\Public\vbc.exeFilesize
1.1MB
MD5a5e75f93a365f2f20438395c0949624d
SHA175a9d3e8faa58757a04a84ebf3def50357ac515e
SHA2560e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163
SHA512af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6
-
memory/1368-203-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1368-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1828-175-0x0000000002770000-0x00000000027B0000-memory.dmpFilesize
256KB
-
memory/1828-173-0x0000000002770000-0x00000000027B0000-memory.dmpFilesize
256KB
-
memory/1896-170-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1896-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1896-162-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1896-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1896-163-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1896-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1896-174-0x00000000023D0000-0x0000000002410000-memory.dmpFilesize
256KB
-
memory/1896-172-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1896-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2040-151-0x00000000004B0000-0x00000000004BC000-memory.dmpFilesize
48KB
-
memory/2040-158-0x0000000000500000-0x0000000000532000-memory.dmpFilesize
200KB
-
memory/2040-152-0x0000000005B90000-0x0000000005C3A000-memory.dmpFilesize
680KB
-
memory/2040-150-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2040-143-0x0000000000490000-0x00000000004A6000-memory.dmpFilesize
88KB
-
memory/2040-142-0x0000000004CA0000-0x0000000004CE0000-memory.dmpFilesize
256KB
-
memory/2040-141-0x0000000000C50000-0x0000000000D6C000-memory.dmpFilesize
1.1MB