Analysis
-
max time kernel
269s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-03-2023 14:31
Static task
static1
Behavioral task
behavioral1
Sample
PO+010-240.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO+010-240.docx
Resource
win10v2004-20230221-en
General
-
Target
PO+010-240.docx
-
Size
10KB
-
MD5
1cb238263947b5019937888d3cad8833
-
SHA1
15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
-
SHA256
3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
-
SHA512
d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 932 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/rr........................................................doc WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 760 vbc.exe 1740 vbc.exe 1608 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 932 EQNEDT32.EXE 932 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe" vbc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 760 set thread context of 1608 760 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 816 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepowershell.exepid process 760 vbc.exe 760 vbc.exe 760 vbc.exe 760 vbc.exe 1896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exepowershell.exedescription pid process Token: SeDebugPrivilege 760 vbc.exe Token: SeDebugPrivilege 1608 vbc.exe Token: SeDebugPrivilege 1896 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 816 WINWORD.EXE 816 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 932 wrote to memory of 760 932 EQNEDT32.EXE vbc.exe PID 932 wrote to memory of 760 932 EQNEDT32.EXE vbc.exe PID 932 wrote to memory of 760 932 EQNEDT32.EXE vbc.exe PID 932 wrote to memory of 760 932 EQNEDT32.EXE vbc.exe PID 816 wrote to memory of 792 816 WINWORD.EXE splwow64.exe PID 816 wrote to memory of 792 816 WINWORD.EXE splwow64.exe PID 816 wrote to memory of 792 816 WINWORD.EXE splwow64.exe PID 816 wrote to memory of 792 816 WINWORD.EXE splwow64.exe PID 760 wrote to memory of 1896 760 vbc.exe powershell.exe PID 760 wrote to memory of 1896 760 vbc.exe powershell.exe PID 760 wrote to memory of 1896 760 vbc.exe powershell.exe PID 760 wrote to memory of 1896 760 vbc.exe powershell.exe PID 760 wrote to memory of 616 760 vbc.exe schtasks.exe PID 760 wrote to memory of 616 760 vbc.exe schtasks.exe PID 760 wrote to memory of 616 760 vbc.exe schtasks.exe PID 760 wrote to memory of 616 760 vbc.exe schtasks.exe PID 760 wrote to memory of 1740 760 vbc.exe vbc.exe PID 760 wrote to memory of 1740 760 vbc.exe vbc.exe PID 760 wrote to memory of 1740 760 vbc.exe vbc.exe PID 760 wrote to memory of 1740 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe PID 760 wrote to memory of 1608 760 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO+010-240.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gmRCHGfmw.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmRCHGfmw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{206056F8-6E60-4AFF-94B8-877259BA508A}.FSDFilesize
128KB
MD5dbb2e35c08b30117826f583c1ffdcd0d
SHA19aa2129dc6dd073862fac6642665511248ad2ece
SHA256e2e31eadc385ba8b4816fc002e3aef2995ee395501797264fbc72208380f1e2f
SHA5124c0227cd1e7ebabf91644df9e729e3455576fd5ea58bb1d3a30c5a59946313acbabc7f8ae44782dd8b3a3c0d2072f3bf4ba36b0c59e695d36c043f3ce5652fc1
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5fdc4b091c0bb38e559f205e6e2188a29
SHA13c7e037f52b9c98e559c24c2b13366515057d659
SHA256ec5cdfe940d6a8618f3c105ac84f6b725a7eef047f8355ecab388d1868614e2d
SHA512dde108ad64fc84b84c2a53c84e3215ec17797c33daaa13ab0660e247077ba1d920803152f2638ca86185ff32bd3625b27e77b46fef3882e98302e76351c948db
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{11D8B5B4-942B-4923-B4BE-02D529BA6034}.FSDFilesize
128KB
MD5f23ef4872dff1716a7ccab52bc1b7adf
SHA15363a112cc20c2d387b1ab14f4b2af44b58e84d4
SHA256163eb7d0751511062615d550374551e73f791a3dedea04378a951e2007f520af
SHA5125f0dd763e3f3c675ab4cf5f2fd885875693a623aa6f040c884fbe22928fb27f131c0e0ce8affe05a10a6bf435ffa33bf3be4115afcdf4af4d98adbf432edb111
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\rr[1].docFilesize
12KB
MD5dbca576eca2dd4201a06f467ada3d524
SHA1489ea5b066263a10ca81db28eed66545c6d2d4b2
SHA256d90badc8f1680f191a5822f37582cc2e8ed39d044627c071812ad947b8a0a90f
SHA512e48edabcbc2bc1f6d7ad91ffa5cd91e06c77ae7d4b074fb7eb15b20e8afe1f39229cb1be7921b18e3fb94f8c30e20ba61a22d46eafeb70229aa52722d99d7b2d
-
C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmpFilesize
1KB
MD5f1a1cda202112689d4a8eb6346861e62
SHA1681152bab87ea8660b52d480e8ba5d7f13c1f8ff
SHA256bb6dce9a69b8a89ea4d1e2b47de59d4efd23e4dfb5a6c4e79ab9cd23eabaee8d
SHA512a15f2a81beae796b05c59cf6525b0cc0740deb21e42c737258fc35bd190b7bd5ef5fd2aa0b186b09b01c453e4eab0ee5c884a9b3749d8f59e5d684f87a154f14
-
C:\Users\Admin\AppData\Local\Temp\{194194BB-83A0-40C9-8BED-40FE6E7A6043}Filesize
128KB
MD53bcc0a98248770362c492d1e73199f2e
SHA111a42eff113e169d01fffd60f8b8412774de0074
SHA256bc9d1b9afe4dc986b81ebfe20f0a499eeedc61fee740a7952fd380060f0dba47
SHA51231a815addd1a1a4defa5335f54b378175bebc22916e0b137822fd78bc62fab5f627a3782a1673414d8f68eab89cde276452788b4b6216764571bef1a752ddc30
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
memory/760-155-0x0000000007E00000-0x0000000007EAA000-memory.dmpFilesize
680KB
-
memory/760-153-0x0000000004E50000-0x0000000004E90000-memory.dmpFilesize
256KB
-
memory/760-154-0x0000000000480000-0x000000000048C000-memory.dmpFilesize
48KB
-
memory/760-146-0x00000000004A0000-0x00000000004BA000-memory.dmpFilesize
104KB
-
memory/760-161-0x00000000044F0000-0x00000000044F6000-memory.dmpFilesize
24KB
-
memory/760-162-0x00000000049A0000-0x00000000049D2000-memory.dmpFilesize
200KB
-
memory/760-145-0x0000000004E50000-0x0000000004E90000-memory.dmpFilesize
256KB
-
memory/760-144-0x0000000000DC0000-0x0000000000EBA000-memory.dmpFilesize
1000KB
-
memory/816-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1608-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1608-168-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-171-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-174-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-176-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1608-178-0x0000000004F00000-0x0000000004F40000-memory.dmpFilesize
256KB
-
memory/1608-181-0x0000000004F00000-0x0000000004F40000-memory.dmpFilesize
256KB
-
memory/1896-179-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB
-
memory/1896-177-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB