agenttesla | 3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc

Analysis

max time kernel
100s
max time network
103s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc.docx
Size

10KB
MD5

b9571630868381221bee77b8fe5079ca
SHA1

12228855be9ea4783d1034678e00ddb51732d83b
SHA256

3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc
SHA512

209a9a056f36d3f709f5abeffcd33e6f918094921efc79c1deaede609e25b2fe752c60b3c86b0b6b61f0ff4365a8c45917343303bd4fa7d60762fc3d1287e897
SSDEEP

192:ScIMmtP1aIG/bslPL++uO+l+CVWBXJC0c3uG/:SPXU/slT+LO+HkZC9N

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
002@frem-tr.com
Password:
jCXzqcP1 daniel 3116
Email To:
002@frem-tr.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1884 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1884	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/c00----------------------------.DOC	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

2040 vbc.exe
2036 vbc.exe
1896 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1884 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2040	vbc.exe
2036	vbc.exe
1896	vbc.exe

pid	process
1884	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe"	vbc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 2040 set thread context of 1896 2040 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1304 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1884 EQNEDT32.EXE

description	pid	process	target process
PID 2040 set thread context of 1896	2040	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1304	schtasks.exe

pid	process
1884	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1368 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exepowershell.exe

pid process

2040 vbc.exe
2040 vbc.exe
2040 vbc.exe
2040 vbc.exe
1828 powershell.exe

pid	process
1368	WINWORD.EXE

pid	process
2040	vbc.exe
2040	vbc.exe
2040	vbc.exe
2040	vbc.exe
1828	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2040	vbc.exe
Token: SeDebugPrivilege	1896	vbc.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeShutdownPrivilege	1368	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1368 WINWORD.EXE
1368 WINWORD.EXE

pid	process
1368	WINWORD.EXE
1368	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1884 wrote to memory of 2040	1884	EQNEDT32.EXE	vbc.exe
PID 1884 wrote to memory of 2040	1884	EQNEDT32.EXE	vbc.exe
PID 1884 wrote to memory of 2040	1884	EQNEDT32.EXE	vbc.exe
PID 1884 wrote to memory of 2040	1884	EQNEDT32.EXE	vbc.exe
PID 1368 wrote to memory of 656	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 656	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 656	1368	WINWORD.EXE	splwow64.exe
PID 1368 wrote to memory of 656	1368	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1828	2040	vbc.exe	powershell.exe
PID 2040 wrote to memory of 1828	2040	vbc.exe	powershell.exe
PID 2040 wrote to memory of 1828	2040	vbc.exe	powershell.exe
PID 2040 wrote to memory of 1828	2040	vbc.exe	powershell.exe
PID 2040 wrote to memory of 1304	2040	vbc.exe	schtasks.exe
PID 2040 wrote to memory of 1304	2040	vbc.exe	schtasks.exe
PID 2040 wrote to memory of 1304	2040	vbc.exe	schtasks.exe
PID 2040 wrote to memory of 1304	2040	vbc.exe	schtasks.exe
PID 2040 wrote to memory of 2036	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2036	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2036	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 2036	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe
PID 2040 wrote to memory of 1896	2040	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3d3427a09aceb2dfcceaf2c8a232df04929a4bec0b43428ef595bbbd16162ddc.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:656

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\REqzovjc.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\REqzovjc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B15.tmp"
3⤵
- Creates scheduled task(s)
PID:1304

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:2036

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
cceda85ca4f61a123f20e68f9a6d9eec

SHA1
ad864ce17485f21a0f67da0f27606470fa72f425

SHA256
81b781fbe485e1ba16a666c700b26a80860b154731e060db0af3899dd7ac8e3c

SHA512
d6126072a9053023ad1dc2ad9a1873c14c0e904402b0c4b0bbb206095dc45726d5698ede5847c9a4cfae600fd2417a94a90a4300fba3fb8c03384b2aa77f272f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8184F05D-8766-4D34-9C88-E04271D961FF}.FSD
Filesize
128KB

MD5
bffb9e3f0b00bdabc4c6770ea149939b

SHA1
1f47cb2fe544f1cb7002cc2f033b288cec8ceeb7

SHA256
8379273413adf610df48b450fc82d45e0eaadabfe91dacbaeeb93ec1ceb2d746

SHA512
9d50eb2cfbe17008f020f55f573bf43fd017356e48186ed49d9e82d489f2210c92c8a7795fe24a6d57bcf703e4325240ea7405e0361c52d147889f8a0c1590ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\c00----------------------------[1].doc
Filesize
14KB

MD5
a0d3000e5792081fa970184fe592808f

SHA1
551941fd7e55cb98ea3a2f315fabe1d2b0a0b935

SHA256
7cee2955d8fee68f5501d86c84159f3e8cefcd52476a950a5712b84bbb1feedd

SHA512
e64b08ff15d7c396304d167781555beb01fc47ba488ead5dd231d7166d67da0599c61d942cb1d9415469cd4e4e2c8cad46763df224ba02ebaeab629b008f2556

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B15.tmp
Filesize
1KB

MD5
e15df9083295825cc1217f058c813f24

SHA1
a19bd1b82f06782200c9138dd2fd7cc037cbb590

SHA256
701625d76fe7ee5ff2e2727ce1beb4d40254582114b08e190f17b39d2ccb47bc

SHA512
bbf9210c5efd392e5d33fd910f74315b4bd26d89444242c227ab92033a8c964ae03dab777277efb168776abb1e289e8a7b18bb7a6ad6d5796e840920494a4d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D20DC5C2-43F4-401A-A6CE-B1226EE61069}
Filesize
128KB

MD5
ab3d598cca92d37825f4f4e0edef63d5

SHA1
123a64c32448a108992dfe1beff9a0ff6c77b135

SHA256
515f6a91c3a1178f3d5e117efce06f2307ff3fd1214bc6cf914aee19441e7e06

SHA512
c3086f36c7678766312330cf1cb59c4e4a58efb1cb8cac3ee23269e3871ff98cf692ccc1672b7211185b84ba1f342d9fbf73a3c0f686001a6cff35d63ef40020

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
09e9be31027f9c793ccd497e4223441b

SHA1
925a6bc0fb2d36b695ed5b6b5d19130b959ffe32

SHA256
2164b48ba179eb55b6c9440d7a2ee19db886b4abd69b1964b74a1f4d50c0ac8e

SHA512
505c3651f46eef23d0fe2b164b2bc97bf2d8c72aabd4839709d5c4f7bdc831c201471ebe07c267a1b6d83a0c17342a7e26a82915a265a51600d7b88bd243e3ff

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
a5e75f93a365f2f20438395c0949624d

SHA1
75a9d3e8faa58757a04a84ebf3def50357ac515e

SHA256
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163

SHA512
af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
a5e75f93a365f2f20438395c0949624d

SHA1
75a9d3e8faa58757a04a84ebf3def50357ac515e

SHA256
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163

SHA512
af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
a5e75f93a365f2f20438395c0949624d

SHA1
75a9d3e8faa58757a04a84ebf3def50357ac515e

SHA256
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163

SHA512
af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
a5e75f93a365f2f20438395c0949624d

SHA1
75a9d3e8faa58757a04a84ebf3def50357ac515e

SHA256
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163

SHA512
af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
a5e75f93a365f2f20438395c0949624d

SHA1
75a9d3e8faa58757a04a84ebf3def50357ac515e

SHA256
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163

SHA512
af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6

Download Submit
\Users\Public\vbc.exe
Filesize
1.1MB

MD5
a5e75f93a365f2f20438395c0949624d

SHA1
75a9d3e8faa58757a04a84ebf3def50357ac515e

SHA256
0e971d7a08790f5b5a54e074c3b343985ab403cd0665c2580d0e7d0c4e463163

SHA512
af70c9bb70fc2ecfcda0c395b3a4076b18629e7a94273b6adbda7dd7ebbde00939780c12d53f829ee326a33fb71de7729d3ba178e49a3d3fa3f86d351bd8e4d6

Download Submit
memory/1368-203-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1368-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1828-175-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1828-173-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1896-170-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1896-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-174-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/1896-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1896-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-151-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2040-158-0x0000000000500000-0x0000000000532000-memory.dmp

Filesize
200KB

Download
memory/2040-152-0x0000000005B90000-0x0000000005C3A000-memory.dmp

Filesize
680KB

Download
memory/2040-150-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2040-143-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2040-142-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2040-141-0x0000000000C50000-0x0000000000D6C000-memory.dmp

Filesize
1.1MB

Download