agenttesla | 3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a

Analysis

max time kernel
269s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-03-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO+010-240.docx
Size

10KB
MD5

1cb238263947b5019937888d3cad8833
SHA1

15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
SHA256

3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
SHA512

d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
SSDEEP

192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
002@frem-tr.com
Password:
jCXzqcP1 daniel 3116
Email To:
002@frem-tr.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 932 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	932	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/rr........................................................doc	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

760 vbc.exe
1740 vbc.exe
1608 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

932 EQNEDT32.EXE
932 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
760	vbc.exe
1740	vbc.exe
1608	vbc.exe

pid	process
932	EQNEDT32.EXE
932	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe"	vbc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 760 set thread context of 1608 760 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

616 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

932 EQNEDT32.EXE

description	pid	process	target process
PID 760 set thread context of 1608	760	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
616	schtasks.exe

pid	process
932	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

816 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exepowershell.exe

pid process

760 vbc.exe
760 vbc.exe
760 vbc.exe
760 vbc.exe
1896 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.exepowershell.exe

description pid process

Token: SeDebugPrivilege 760 vbc.exe
Token: SeDebugPrivilege 1608 vbc.exe
Token: SeDebugPrivilege 1896 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

816 WINWORD.EXE
816 WINWORD.EXE

pid	process
816	WINWORD.EXE

pid	process
760	vbc.exe
760	vbc.exe
760	vbc.exe
760	vbc.exe
1896	powershell.exe

description	pid	process
Token: SeDebugPrivilege	760	vbc.exe
Token: SeDebugPrivilege	1608	vbc.exe
Token: SeDebugPrivilege	1896	powershell.exe

pid	process
816	WINWORD.EXE
816	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 932 wrote to memory of 760	932	EQNEDT32.EXE	vbc.exe
PID 932 wrote to memory of 760	932	EQNEDT32.EXE	vbc.exe
PID 932 wrote to memory of 760	932	EQNEDT32.EXE	vbc.exe
PID 932 wrote to memory of 760	932	EQNEDT32.EXE	vbc.exe
PID 816 wrote to memory of 792	816	WINWORD.EXE	splwow64.exe
PID 816 wrote to memory of 792	816	WINWORD.EXE	splwow64.exe
PID 816 wrote to memory of 792	816	WINWORD.EXE	splwow64.exe
PID 816 wrote to memory of 792	816	WINWORD.EXE	splwow64.exe
PID 760 wrote to memory of 1896	760	vbc.exe	powershell.exe
PID 760 wrote to memory of 1896	760	vbc.exe	powershell.exe
PID 760 wrote to memory of 1896	760	vbc.exe	powershell.exe
PID 760 wrote to memory of 1896	760	vbc.exe	powershell.exe
PID 760 wrote to memory of 616	760	vbc.exe	schtasks.exe
PID 760 wrote to memory of 616	760	vbc.exe	schtasks.exe
PID 760 wrote to memory of 616	760	vbc.exe	schtasks.exe
PID 760 wrote to memory of 616	760	vbc.exe	schtasks.exe
PID 760 wrote to memory of 1740	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1740	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1740	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1740	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1608	760	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO+010-240.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:792

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gmRCHGfmw.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmRCHGfmw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp"
3⤵
- Creates scheduled task(s)
PID:616

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1740

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{206056F8-6E60-4AFF-94B8-877259BA508A}.FSD
Filesize
128KB

MD5
dbb2e35c08b30117826f583c1ffdcd0d

SHA1
9aa2129dc6dd073862fac6642665511248ad2ece

SHA256
e2e31eadc385ba8b4816fc002e3aef2995ee395501797264fbc72208380f1e2f

SHA512
4c0227cd1e7ebabf91644df9e729e3455576fd5ea58bb1d3a30c5a59946313acbabc7f8ae44782dd8b3a3c0d2072f3bf4ba36b0c59e695d36c043f3ce5652fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
fdc4b091c0bb38e559f205e6e2188a29

SHA1
3c7e037f52b9c98e559c24c2b13366515057d659

SHA256
ec5cdfe940d6a8618f3c105ac84f6b725a7eef047f8355ecab388d1868614e2d

SHA512
dde108ad64fc84b84c2a53c84e3215ec17797c33daaa13ab0660e247077ba1d920803152f2638ca86185ff32bd3625b27e77b46fef3882e98302e76351c948db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{11D8B5B4-942B-4923-B4BE-02D529BA6034}.FSD
Filesize
128KB

MD5
f23ef4872dff1716a7ccab52bc1b7adf

SHA1
5363a112cc20c2d387b1ab14f4b2af44b58e84d4

SHA256
163eb7d0751511062615d550374551e73f791a3dedea04378a951e2007f520af

SHA512
5f0dd763e3f3c675ab4cf5f2fd885875693a623aa6f040c884fbe22928fb27f131c0e0ce8affe05a10a6bf435ffa33bf3be4115afcdf4af4d98adbf432edb111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\rr[1].doc
Filesize
12KB

MD5
dbca576eca2dd4201a06f467ada3d524

SHA1
489ea5b066263a10ca81db28eed66545c6d2d4b2

SHA256
d90badc8f1680f191a5822f37582cc2e8ed39d044627c071812ad947b8a0a90f

SHA512
e48edabcbc2bc1f6d7ad91ffa5cd91e06c77ae7d4b074fb7eb15b20e8afe1f39229cb1be7921b18e3fb94f8c30e20ba61a22d46eafeb70229aa52722d99d7b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F5E.tmp
Filesize
1KB

MD5
f1a1cda202112689d4a8eb6346861e62

SHA1
681152bab87ea8660b52d480e8ba5d7f13c1f8ff

SHA256
bb6dce9a69b8a89ea4d1e2b47de59d4efd23e4dfb5a6c4e79ab9cd23eabaee8d

SHA512
a15f2a81beae796b05c59cf6525b0cc0740deb21e42c737258fc35bd190b7bd5ef5fd2aa0b186b09b01c453e4eab0ee5c884a9b3749d8f59e5d684f87a154f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\{194194BB-83A0-40C9-8BED-40FE6E7A6043}
Filesize
128KB

MD5
3bcc0a98248770362c492d1e73199f2e

SHA1
11a42eff113e169d01fffd60f8b8412774de0074

SHA256
bc9d1b9afe4dc986b81ebfe20f0a499eeedc61fee740a7952fd380060f0dba47

SHA512
31a815addd1a1a4defa5335f54b378175bebc22916e0b137822fd78bc62fab5f627a3782a1673414d8f68eab89cde276452788b4b6216764571bef1a752ddc30

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
memory/760-155-0x0000000007E00000-0x0000000007EAA000-memory.dmp

Filesize
680KB

Download
memory/760-153-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/760-154-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/760-146-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/760-161-0x00000000044F0000-0x00000000044F6000-memory.dmp

Filesize
24KB

Download
memory/760-162-0x00000000049A0000-0x00000000049D2000-memory.dmp

Filesize
200KB

Download
memory/760-145-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/760-144-0x0000000000DC0000-0x0000000000EBA000-memory.dmp

Filesize
1000KB

Download
memory/816-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1608-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1608-178-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1608-181-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/1896-179-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/1896-177-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download