Analysis
-
max time kernel
102s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-03-2023 14:25
Static task
static1
Behavioral task
behavioral1
Sample
PO 010-240.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO 010-240.docx
Resource
win10v2004-20230221-en
General
-
Target
PO 010-240.docx
-
Size
10KB
-
MD5
84b25af93d91ad40962a0db9403cc644
-
SHA1
d38e907dfbe22b0e0eb7ab7ae8515eb69a7dddbc
-
SHA256
da53bd57af58ae908cd30e303113930cecbd995719404e2dbd7009f0bc54926d
-
SHA512
ff3b085bde3ccff0592453ded391daac66819d5c8ad3035cb7c567891528ceb0c014c3265f8735cfa780de5d06c746a24f2d1504d669fbd17660f42ab855437c
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOw4Nl+CVWBXJC0c3qe:SPXU/slT+LOw6HkZC9h
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1376 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/bg...................................doc WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 484 vbc.exe 1640 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1376 EQNEDT32.EXE 1376 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe" vbc.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 484 set thread context of 1640 484 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1396 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepowershell.exepid process 484 vbc.exe 484 vbc.exe 960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exevbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 484 vbc.exe Token: SeDebugPrivilege 1640 vbc.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeShutdownPrivilege 1396 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1396 WINWORD.EXE 1396 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1376 wrote to memory of 484 1376 EQNEDT32.EXE vbc.exe PID 1376 wrote to memory of 484 1376 EQNEDT32.EXE vbc.exe PID 1376 wrote to memory of 484 1376 EQNEDT32.EXE vbc.exe PID 1376 wrote to memory of 484 1376 EQNEDT32.EXE vbc.exe PID 1396 wrote to memory of 980 1396 WINWORD.EXE splwow64.exe PID 1396 wrote to memory of 980 1396 WINWORD.EXE splwow64.exe PID 1396 wrote to memory of 980 1396 WINWORD.EXE splwow64.exe PID 1396 wrote to memory of 980 1396 WINWORD.EXE splwow64.exe PID 484 wrote to memory of 960 484 vbc.exe powershell.exe PID 484 wrote to memory of 960 484 vbc.exe powershell.exe PID 484 wrote to memory of 960 484 vbc.exe powershell.exe PID 484 wrote to memory of 960 484 vbc.exe powershell.exe PID 484 wrote to memory of 1548 484 vbc.exe schtasks.exe PID 484 wrote to memory of 1548 484 vbc.exe schtasks.exe PID 484 wrote to memory of 1548 484 vbc.exe schtasks.exe PID 484 wrote to memory of 1548 484 vbc.exe schtasks.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe PID 484 wrote to memory of 1640 484 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 010-240.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iygpxcCSjijj.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iygpxcCSjijj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B07.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{72E3EE97-8BF5-4DA3-9535-20ADF3F799C4}.FSDFilesize
128KB
MD58294f86fcb2c759f625e262887c3cce5
SHA1ef385f056f021b1ce9d1918a725dc9b986b39ac1
SHA25649f9cc79f15d58c27a317b9e33a6c675b9898410cdc636d37fd635d7d718eba8
SHA5120e3b77b868a6458340cd3b363e2d259fc397febffda52438491b0b661616679dd3643010a6553b2363b612a313002024e63fd0298f263f3a555ae2c1f5a6884e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD58c2e34ca99f05d9fd3f5e4fbe8fa52bc
SHA1aede97bf87c364415e418cd2a2fef1377b5c16f9
SHA25604c0e998afad308ef732a35460754ba7a70128a5edf49079c490b903a67d3f93
SHA5128fffa1692c96be78d3caab9a095f002a32017ea4e6140ea4ef5cc67819d3da09e7194f470911050c4a74d2a676c37de7c5830343f43358d7fbf0a08b9f214592
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0C2E4E9E-8A5D-4E26-A5D5-ED4D4339BC91}.FSDFilesize
128KB
MD5a4e5fd16ff5597f10e464158b9266d40
SHA1e76d1f3247cfac0f6b551848df5e80bbd69561fe
SHA256fad5568835b17dbf2da14f71ecf0744a004d096c1bc6072b9a915197f21d2b95
SHA5127095edbcb8959bae9394a01c5976538ba2f0f2cb4ac7bc50bbdaf5cf98ddc4413021dee457b92c1bd9868660e2237ff703601a992e94a4dddc57eb187b9e4a3b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\bg[1].docFilesize
12KB
MD5ba628c629f3472e3b57de14e3cdb05d2
SHA1b492c03cb6824682d575a6b77e3c1c3b7755a331
SHA256e399cdab404d5046aba55ff32346f96349d482763a3b1c633c9a8fb594f09a17
SHA51241fd46f514437a823eef56dd83adf3e8e2f7270ca1a24734a3f639ba3f82db55c170d5056854832602d65e75f2d5772847fbd18e8f9531fc406e8aa62db63cfb
-
C:\Users\Admin\AppData\Local\Temp\tmp2B07.tmpFilesize
1KB
MD51ceb1788c847229f921cf27a602e7a55
SHA11d2b6e02e6c0a7949a6bce9d5379058fc07e0cfc
SHA256fc47d872c799921b8e56959e9d8b894b822c54a515ca200633223f46f6d56541
SHA512d6b39fc548bd9ca11ac2aa5447e56e7b04263b7ced840ab858948ca6bd21acd717b931dd16f2a5e0427005f03d088fe15766f1a33226a6ba1a9fee993651dc55
-
C:\Users\Admin\AppData\Local\Temp\{D7B27D05-4816-4E66-8AFF-AC258304C043}Filesize
128KB
MD5a89830b02d38d0bcb5b6f647502cfda8
SHA1f2c35616d70c6be50864395e4278065605dbd88a
SHA2563402d77408eedf2eb33f3641caaf0557582bf6254b234b3870c977c55caaf153
SHA5125c0c86473848161d588e84f3d8f2afba6bb45ecfef7d64b0882fe96e7b528ad2a1b4d50c37f1fb921004225a03f4789d9d681d696b9ada680bfac8a8c00bc1e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5a5b715d23dc73414945c461203a0b368
SHA1bb0969750e0298f75beee848c2bf5433af322fc9
SHA25640329570c7ff0c06816421240018ca8e2aea81fd157f0f5446f13e83033af6cb
SHA512d35a5fb5b2879e6cbd26b0fd45903869fb51307d9536626dd08aac7fb2d1ad817fe0d36e9fba5904d26bf4839f6157c240aeac626eca5ea8dd3cfe8dd48853ea
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5131ff0ef35352e56cef2893ab1260c3d
SHA18cae139353e77e1e4bd08f86934160f9f23cffa9
SHA2568c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
SHA5121b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5131ff0ef35352e56cef2893ab1260c3d
SHA18cae139353e77e1e4bd08f86934160f9f23cffa9
SHA2568c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
SHA5121b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5131ff0ef35352e56cef2893ab1260c3d
SHA18cae139353e77e1e4bd08f86934160f9f23cffa9
SHA2568c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
SHA5121b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD5131ff0ef35352e56cef2893ab1260c3d
SHA18cae139353e77e1e4bd08f86934160f9f23cffa9
SHA2568c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
SHA5121b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0
-
\Users\Public\vbc.exeFilesize
1.1MB
MD5131ff0ef35352e56cef2893ab1260c3d
SHA18cae139353e77e1e4bd08f86934160f9f23cffa9
SHA2568c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
SHA5121b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0
-
\Users\Public\vbc.exeFilesize
1.1MB
MD5131ff0ef35352e56cef2893ab1260c3d
SHA18cae139353e77e1e4bd08f86934160f9f23cffa9
SHA2568c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b
SHA5121b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0
-
memory/484-155-0x00000000055D0000-0x000000000567A000-memory.dmpFilesize
680KB
-
memory/484-145-0x0000000000E20000-0x0000000000E60000-memory.dmpFilesize
256KB
-
memory/484-154-0x00000000002E0000-0x00000000002EC000-memory.dmpFilesize
48KB
-
memory/484-144-0x0000000001030000-0x0000000001154000-memory.dmpFilesize
1.1MB
-
memory/484-146-0x0000000000560000-0x000000000057A000-memory.dmpFilesize
104KB
-
memory/484-161-0x0000000000C20000-0x0000000000C26000-memory.dmpFilesize
24KB
-
memory/484-164-0x0000000004670000-0x00000000046A2000-memory.dmpFilesize
200KB
-
memory/484-153-0x0000000000E20000-0x0000000000E60000-memory.dmpFilesize
256KB
-
memory/960-177-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/960-178-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1396-207-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1396-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1640-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-173-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-166-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-175-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-176-0x0000000004D50000-0x0000000004D90000-memory.dmpFilesize
256KB
-
memory/1640-169-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1640-180-0x0000000004D50000-0x0000000004D90000-memory.dmpFilesize
256KB
-
memory/1640-168-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-170-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB