agenttesla | 0aa8fae7adcb3b01e64ff034585ab4f7dda57eef969732ca1f46a4645e25bf7e

Analysis

max time kernel
101s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-03-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 84889-CVE2-52022.docx
Size

10KB
MD5

26898dc21c47a0c8ce44952f38be7558
SHA1

7ca47776ae520edbb07d58e90e8f8b0194ca4def
SHA256

0aa8fae7adcb3b01e64ff034585ab4f7dda57eef969732ca1f46a4645e25bf7e
SHA512

36564d02ffc9df006a818909ae1b0c0e4a38f325758b55dc1d61f519c70d41b4f2970338cf9cd87323adaf4df014e79e33886af9aaf36cb893ca8bcff590d883
SSDEEP

192:ScIMmtP1aIG/bslPL++uO+zl+CVWBXJC0c3ue:SPXU/slT+LO+zHkZC91

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.huiijingco.com
Port:
587
Username:
m@huiijingco.com
Password:
lNLUrZT2
Email To:
m@huiijingco.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1332 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1332	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://267199949/e2....................doc	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

896 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1332 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
896	vbc.exe

pid	process
1332	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org

flow	ioc
9	api.ipify.org
10	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 896 set thread context of 1144 896 vbc.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1880 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1332 EQNEDT32.EXE

description	pid	process	target process
PID 896 set thread context of 1144	896	vbc.exe	RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1880	schtasks.exe

pid	process
1332	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1668 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exepowershell.exe

pid process

896 vbc.exe
896 vbc.exe
680 powershell.exe

pid	process
1668	WINWORD.EXE

pid	process
896	vbc.exe
896	vbc.exe
680	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeRegSvcs.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	896	vbc.exe
Token: SeDebugPrivilege	1144	RegSvcs.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeShutdownPrivilege	1668	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1668 WINWORD.EXE
1668 WINWORD.EXE

pid	process
1668	WINWORD.EXE
1668	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1332 wrote to memory of 896	1332	EQNEDT32.EXE	vbc.exe
PID 1332 wrote to memory of 896	1332	EQNEDT32.EXE	vbc.exe
PID 1332 wrote to memory of 896	1332	EQNEDT32.EXE	vbc.exe
PID 1332 wrote to memory of 896	1332	EQNEDT32.EXE	vbc.exe
PID 1668 wrote to memory of 468	1668	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 468	1668	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 468	1668	WINWORD.EXE	splwow64.exe
PID 1668 wrote to memory of 468	1668	WINWORD.EXE	splwow64.exe
PID 896 wrote to memory of 680	896	vbc.exe	powershell.exe
PID 896 wrote to memory of 680	896	vbc.exe	powershell.exe
PID 896 wrote to memory of 680	896	vbc.exe	powershell.exe
PID 896 wrote to memory of 680	896	vbc.exe	powershell.exe
PID 896 wrote to memory of 1880	896	vbc.exe	schtasks.exe
PID 896 wrote to memory of 1880	896	vbc.exe	schtasks.exe
PID 896 wrote to memory of 1880	896	vbc.exe	schtasks.exe
PID 896 wrote to memory of 1880	896	vbc.exe	schtasks.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe
PID 896 wrote to memory of 1144	896	vbc.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 84889-CVE2-52022.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:468

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\thHVOlYHyYRLoS.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\thHVOlYHyYRLoS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp"
3⤵
- Creates scheduled task(s)
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{85F3081F-3681-4532-BB08-F6A6723F069E}.FSD
Filesize
128KB

MD5
dd07c5881fc344707cb514d1a61c986a

SHA1
f00bcabf5b3248f94d0456e84e2f516b7e313022

SHA256
845a891e23e4ad58c96a83865f4adf4e2f20428fac96e7a033e3cc03547368c7

SHA512
ef2f5fa2e23271230db9ccedc011d9035653b6ddff0b5fda22f33b10390abf1b5ab08fc2e675ac39fae07fcaaf04d50210c7ae11cb171252ae9f0c41d68b61d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
b494e82d27f6da9a68660a30f641feb3

SHA1
9bab14f4baccd32700d3b0b75c1ce0a13967d2f6

SHA256
3741894c26d545806635edc187328e51948b28d4c552ae3d3e59fbd93f6e2aeb

SHA512
1fd65dfacd79bea86089ff7fd81431581d945c2bfb3489d7e37e04a075f64566ce1dde92296ff77b021459a9f0277a52edf811d811bf01de59dce08b90cd2842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{90D7D9CC-40B9-4DDA-A062-A5A7021FE5F8}.FSD
Filesize
128KB

MD5
dd48ae589f11d97e129cd2d0487010ac

SHA1
47b6678fc99816cdad417c48c7bcaad14a31de11

SHA256
3975cd6b6a1c69d33f78f0ae5231efab51f99bd0ea09779950043afe8551813d

SHA512
f38a061b50ee33f50d0cd7b92ae84779028bd4cb44e8c3af0b045a2d24d509f4ba78016a855ee15015edd18aa292a32b6bc3a10b1859f71808e33e09789428d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\e2[1].doc
Filesize
14KB

MD5
b13a74dca15cc4c5b3e73d60c4f100e3

SHA1
a67404eb18267d09a5d54f2e7ea9e85097bdd3f5

SHA256
5e41401cc62f4ff58c658edce9d1823e2f6f84a646c9aa1c7fbac7f091ebc614

SHA512
ae9ee73aca3b515f7cfa4a7672809cf3da69bcc91d2676bf4a5666986ad1e4603148edbb588b10bb0c03b55fe0d31b1e348bb7006482bd252a58dfb12facb1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp
Filesize
1KB

MD5
0bc3962d41075c400360f07c6a52e3aa

SHA1
15759f03f512172d9bb8b39ebc03eac0bac03826

SHA256
7db9f4840b7dcf2b79b916c42efe2a0ff12a0b52347ec993d595ec2e0339b31f

SHA512
0a0b241e098599578137d8157ac8d7217cfdd25d1645accf3a815c2d283efa9b9beeb507fa381ee4ebf1175bfd2ea23795d4dd44b02bc1c76de680bc9b11ea8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D4C61040-7E1C-4331-A302-DD6190966C93}
Filesize
128KB

MD5
e8c2d73265fcd3d2245c8fcf7e4e4b22

SHA1
a88750072b15d305a27143068240b3c7d2f20131

SHA256
5424b925e7d89022bda4e4cfe82e99d8850fc7082d022c4810b0a2c59945d53e

SHA512
ab84ae6b0c48ce6fe9d3e5af8e5c79131d7fed1f28900691b4b14fb6c083828abd16f93af0bcc08da3f42d71d16702ea75e40cd08abecc8ced74d64c14d04e50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
a2c431577be7e81f854aa11ae86b6d70

SHA1
90a776cd07cae92a138d2a24da43aea1ba98e61d

SHA256
a6ef2c8847b1e48287ff84cb7cdb5158297dd147a3dedc1cdfc9660ce6c29107

SHA512
f3b7ef9a9edfdf9ad2f04f947ce0dd701c2b6bb5d3e552370053e2159077ed66828b9e70d6a63ccbedec46fd58d734b2fda94073aa8c222edce586f8d2f2759c

Download Submit
C:\Users\Public\vbc.exe
Filesize
976KB

MD5
6d481784ddebd32b6a604a897874f25c

SHA1
928bba0214e7e44f12da24c6ae48d038b877abff

SHA256
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430

SHA512
3f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c

Download Submit
C:\Users\Public\vbc.exe
Filesize
976KB

MD5
6d481784ddebd32b6a604a897874f25c

SHA1
928bba0214e7e44f12da24c6ae48d038b877abff

SHA256
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430

SHA512
3f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c

Download Submit
C:\Users\Public\vbc.exe
Filesize
976KB

MD5
6d481784ddebd32b6a604a897874f25c

SHA1
928bba0214e7e44f12da24c6ae48d038b877abff

SHA256
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430

SHA512
3f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c

Download Submit
\Users\Public\vbc.exe
Filesize
976KB

MD5
6d481784ddebd32b6a604a897874f25c

SHA1
928bba0214e7e44f12da24c6ae48d038b877abff

SHA256
7cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430

SHA512
3f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c

Download Submit
memory/680-172-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/680-173-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/896-143-0x00000000004C0000-0x00000000004DA000-memory.dmp

Filesize
104KB

Download
memory/896-145-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/896-150-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/896-151-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/896-152-0x0000000005480000-0x000000000552A000-memory.dmp

Filesize
680KB

Download
memory/896-142-0x00000000012E0000-0x00000000013DA000-memory.dmp

Filesize
1000KB

Download
memory/896-158-0x0000000004AE0000-0x0000000004AE6000-memory.dmp

Filesize
24KB

Download
memory/896-159-0x0000000004CC0000-0x0000000004CF2000-memory.dmp

Filesize
200KB

Download
memory/1144-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1144-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1144-174-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1668-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1668-218-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download