agenttesla | 3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a

Analysis

max time kernel
102s
max time network
104s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-03-2023 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

POX010-240.docx
Size

10KB
MD5

1cb238263947b5019937888d3cad8833
SHA1

15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
SHA256

3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
SHA512

d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
SSDEEP

192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
002@frem-tr.com
Password:
jCXzqcP1 daniel 3116
Email To:
002@frem-tr.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 900 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	900	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/rr........................................................doc	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1488 vbc.exe
568 vbc.exe
1316 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

900 EQNEDT32.EXE
900 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1488	vbc.exe
568	vbc.exe
1316	vbc.exe

pid	process
900	EQNEDT32.EXE
900	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe"	vbc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1488 set thread context of 1316 1488 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1580 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

900 EQNEDT32.EXE

description	pid	process	target process
PID 1488 set thread context of 1316	1488	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1580	schtasks.exe

pid	process
900	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1248 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exepowershell.exe

pid process

1488 vbc.exe
1488 vbc.exe
1488 vbc.exe
1488 vbc.exe
1936 powershell.exe

pid	process
1248	WINWORD.EXE

pid	process
1488	vbc.exe
1488	vbc.exe
1488	vbc.exe
1488	vbc.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1488	vbc.exe
Token: SeDebugPrivilege	1316	vbc.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeShutdownPrivilege	1248	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1248 WINWORD.EXE
1248 WINWORD.EXE

pid	process
1248	WINWORD.EXE
1248	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 900 wrote to memory of 1488	900	EQNEDT32.EXE	vbc.exe
PID 900 wrote to memory of 1488	900	EQNEDT32.EXE	vbc.exe
PID 900 wrote to memory of 1488	900	EQNEDT32.EXE	vbc.exe
PID 900 wrote to memory of 1488	900	EQNEDT32.EXE	vbc.exe
PID 1248 wrote to memory of 360	1248	WINWORD.EXE	splwow64.exe
PID 1248 wrote to memory of 360	1248	WINWORD.EXE	splwow64.exe
PID 1248 wrote to memory of 360	1248	WINWORD.EXE	splwow64.exe
PID 1248 wrote to memory of 360	1248	WINWORD.EXE	splwow64.exe
PID 1488 wrote to memory of 1936	1488	vbc.exe	powershell.exe
PID 1488 wrote to memory of 1936	1488	vbc.exe	powershell.exe
PID 1488 wrote to memory of 1936	1488	vbc.exe	powershell.exe
PID 1488 wrote to memory of 1936	1488	vbc.exe	powershell.exe
PID 1488 wrote to memory of 1580	1488	vbc.exe	schtasks.exe
PID 1488 wrote to memory of 1580	1488	vbc.exe	schtasks.exe
PID 1488 wrote to memory of 1580	1488	vbc.exe	schtasks.exe
PID 1488 wrote to memory of 1580	1488	vbc.exe	schtasks.exe
PID 1488 wrote to memory of 568	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 568	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 568	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 568	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe
PID 1488 wrote to memory of 1316	1488	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\POX010-240.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:360

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gmRCHGfmw.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gmRCHGfmw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A17.tmp"
3⤵
- Creates scheduled task(s)
PID:1580

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:568

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Filesize
128KB

MD5
052f9ec24e05d1d4e02e06b4dd9507f4

SHA1
f3622165331f541f14abbbdba5a360f591318ef9

SHA256
2984965f02436f5c9ce74e08c26d8e4bdbf978ddc4fd1ecbca7f6c56d3c72b34

SHA512
8e65290c2b7553ab86e413d225aab4bd0b61108a00b29c0456898ff7fd21d598e50bbbce108bd2b31f6fda9042665f81e54c075f70e3124f01955e4ef53ca147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{FC43B91B-5F3D-4FCC-A693-00FFE98FFBDD}.FSD
Filesize
128KB

MD5
8126e47d5e2f24324bbc8227b671d04a

SHA1
5a68a48b8066e17be9d4f37dbd7f438ac50c32cd

SHA256
92489ef7b9e580ab62234b941ad7b05013013904e316d1b7effdf595e8bf24ef

SHA512
e0475dd0721a69d48e276f4fa8b8e5cf01c7c0c982b5771e2e74426c941eaf9c3ac59be55a11d69d8f206066b5cf323b254c1061de7cc4f4f15440a8f3e36a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
a0859b3ca3a5c07878c1bc3dd9221437

SHA1
56fb90b51bef7bf198777708a52904c254754b5d

SHA256
ffb70ef528dd1e05e48033ccb9d69e6920e5fdf85acca9b8086ba3e64a2e930b

SHA512
672cad2c7e4cdbe1b226f0ef22b3acfd22fb9ad0771591eb8d8149ec02ee6a595fc6e43f6878f1a19e043dbc41ade508655def18dcf2b3a1313e595210c9dc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
741ebcf2dccd2bbf834b01caff073b11

SHA1
0df0bff6114d7b504dc413affddbf971333a8b16

SHA256
c84c4a14b6ed5d1d5f9bfaa4465a3d52553084353a934858ab327939f5e34438

SHA512
cce86daa9608e67a2eff459544d75b09e6cf603d95f85b4c102c9c8fc59f566f0c2d27874baefef20bd63b193b4767bbbeb74d73a4fb5e9f51da502daace4fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DC4C6444-BCB1-4DE8-A572-11D93416C241}.FSD
Filesize
128KB

MD5
f0ba8f1b90d6fded12baadee98f4cb99

SHA1
66ffcd9002cf8bf6ab98baf93321053e5e8a0cab

SHA256
e7d6c56cd71ae0f6d9ab50258ccd3c2ca2b5b0432c4b3fa7f5befbf592544ef1

SHA512
aba3db56ca2443160a67f1881114cf119543a543ed6c2e54051da2da1da0da6efbd370b0389dc8f35cbd724bc6d7de06a8c6700274bf640f80b64bad38f27d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\rr[1].doc
Filesize
12KB

MD5
dbca576eca2dd4201a06f467ada3d524

SHA1
489ea5b066263a10ca81db28eed66545c6d2d4b2

SHA256
d90badc8f1680f191a5822f37582cc2e8ed39d044627c071812ad947b8a0a90f

SHA512
e48edabcbc2bc1f6d7ad91ffa5cd91e06c77ae7d4b074fb7eb15b20e8afe1f39229cb1be7921b18e3fb94f8c30e20ba61a22d46eafeb70229aa52722d99d7b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A17.tmp
Filesize
1KB

MD5
2dfe08f3ee47da656ba22385a6e085f7

SHA1
79c438e0a645fa7bf714a59b6f419e46af637d5f

SHA256
8c557bfebc17cb768e3ddff8e2519ba5ebbdbb821973a08f06ab1538013b4cfd

SHA512
96380a7f2ba15bb2cca589baed2a36f129868bc37a3d887eadbf02459f2f1d3c05c1c3ebaf1b3b5f9343d0045f1c7cc0fa7d0a92210863b251db4f50530c74e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5C9D101B-BDBE-4CD7-8920-1435D9A7B6C4}
Filesize
128KB

MD5
f2d7d7559ef3b630eee4ad9b2220d255

SHA1
f9e8fb2699cd5f51f10188d530d3cc527151d1a1

SHA256
912cdbf8789f99ba1d324127f130b02a3cf938d6cc0c3ecf3440fb94b52858e2

SHA512
b215351a7c2a0e4de376730e3ef26f7aafbbc5493e83de7b35fdf052d6882fb1f5c95eb4d469bcdaff395ed551156f25656eac1d11e36e73d955dfb64ea23407

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
105B

MD5
ef5c93397775c0240daba47626ee0b22

SHA1
e64cb17cb9e1af3a3d7689f786436873005c2a12

SHA256
fc0ea4509f1e1c815f59e36b6d991d21e4aaf220b17985f27b8cd566d9e8b9d7

SHA512
8bbd258c2696f41fdf4367adfbde9b96583479c7ab3d0c516edd3b4ecea4dcdbabdbacb85dd5264609f374b6f9ed38d47bd5c351e30bac8ee9f0757feee022fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
d91bf19fdabe71bac54559f2ffd9a0dd

SHA1
a13e7ab25ae6df36ef64faebc718a758864d2f9a

SHA256
7460ae6d2231ecda0b194508308e757a375af4da5ce4e979645a7764fa680dc4

SHA512
630a1b0955d9edded5b0393a2e2296280f7e115e7175cf1b56882fe1b787c74f4c9516927d3028784f5435db193c09e9716cf940e4b0c9a2b380f0696cb22e3b

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
C:\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
\Users\Public\vbc.exe
Filesize
977KB

MD5
0bbeb58e735d6bd4d0d30f150c36a15e

SHA1
8f63aa459a56f8fb80105e78537ef8189f1b92d6

SHA256
efd5a5231f12bcaa48f701b82ff32314b313e5484fabe8596a7ce9283a08f71c

SHA512
ac69a141e676a6115456db98b4d69dc7ffbcbb0001dc4d5a37259dbab1bacf7fb07712253f515e1848923665ce5d325c73276dfe0894f78e64e8d02422091c27

Download Submit
memory/1248-207-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1248-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1316-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-179-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1316-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1488-155-0x0000000007F30000-0x0000000007FDA000-memory.dmp

Filesize
680KB

Download
memory/1488-153-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1488-152-0x0000000000620000-0x000000000063A000-memory.dmp

Filesize
104KB

Download
memory/1488-154-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1488-162-0x00000000012F0000-0x0000000001322000-memory.dmp

Filesize
200KB

Download
memory/1488-161-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/1488-146-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1488-145-0x0000000001320000-0x000000000141A000-memory.dmp

Filesize
1000KB

Download
memory/1936-177-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1936-178-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download