agenttesla | da53bd57af58ae908cd30e303113930cecbd995719404e2dbd7009f0bc54926d

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-03-2023 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO 010-240.docx
Size

10KB
MD5

84b25af93d91ad40962a0db9403cc644
SHA1

d38e907dfbe22b0e0eb7ab7ae8515eb69a7dddbc
SHA256

da53bd57af58ae908cd30e303113930cecbd995719404e2dbd7009f0bc54926d
SHA512

ff3b085bde3ccff0592453ded391daac66819d5c8ad3035cb7c567891528ceb0c014c3265f8735cfa780de5d06c746a24f2d1504d669fbd17660f42ab855437c
SSDEEP

192:ScIMmtP1aIG/bslPL++uOw4Nl+CVWBXJC0c3qe:SPXU/slT+LOw6HkZC9h

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
002@frem-tr.com
Password:
jCXzqcP1 daniel 3116
Email To:
002@frem-tr.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1376 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1376	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3324948138/bg...................................doc	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

484 vbc.exe
1640 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1376 EQNEDT32.EXE
1376 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
484	vbc.exe
1640	vbc.exe

pid	process
1376	EQNEDT32.EXE
1376	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe"	vbc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 484 set thread context of 1640 484 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1376 EQNEDT32.EXE

description	pid	process	target process
PID 484 set thread context of 1640	484	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1548	schtasks.exe

pid	process
1376	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1396 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exepowershell.exe

pid process

484 vbc.exe
484 vbc.exe
960 powershell.exe

pid	process
1396	WINWORD.EXE

pid	process
484	vbc.exe
484	vbc.exe
960	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	484	vbc.exe
Token: SeDebugPrivilege	1640	vbc.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeShutdownPrivilege	1396	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1396 WINWORD.EXE
1396 WINWORD.EXE

pid	process
1396	WINWORD.EXE
1396	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1376 wrote to memory of 484	1376	EQNEDT32.EXE	vbc.exe
PID 1376 wrote to memory of 484	1376	EQNEDT32.EXE	vbc.exe
PID 1376 wrote to memory of 484	1376	EQNEDT32.EXE	vbc.exe
PID 1376 wrote to memory of 484	1376	EQNEDT32.EXE	vbc.exe
PID 1396 wrote to memory of 980	1396	WINWORD.EXE	splwow64.exe
PID 1396 wrote to memory of 980	1396	WINWORD.EXE	splwow64.exe
PID 1396 wrote to memory of 980	1396	WINWORD.EXE	splwow64.exe
PID 1396 wrote to memory of 980	1396	WINWORD.EXE	splwow64.exe
PID 484 wrote to memory of 960	484	vbc.exe	powershell.exe
PID 484 wrote to memory of 960	484	vbc.exe	powershell.exe
PID 484 wrote to memory of 960	484	vbc.exe	powershell.exe
PID 484 wrote to memory of 960	484	vbc.exe	powershell.exe
PID 484 wrote to memory of 1548	484	vbc.exe	schtasks.exe
PID 484 wrote to memory of 1548	484	vbc.exe	schtasks.exe
PID 484 wrote to memory of 1548	484	vbc.exe	schtasks.exe
PID 484 wrote to memory of 1548	484	vbc.exe	schtasks.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe
PID 484 wrote to memory of 1640	484	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO 010-240.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:980

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iygpxcCSjijj.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iygpxcCSjijj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B07.tmp"
3⤵
- Creates scheduled task(s)
PID:1548

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{72E3EE97-8BF5-4DA3-9535-20ADF3F799C4}.FSD
Filesize
128KB

MD5
8294f86fcb2c759f625e262887c3cce5

SHA1
ef385f056f021b1ce9d1918a725dc9b986b39ac1

SHA256
49f9cc79f15d58c27a317b9e33a6c675b9898410cdc636d37fd635d7d718eba8

SHA512
0e3b77b868a6458340cd3b363e2d259fc397febffda52438491b0b661616679dd3643010a6553b2363b612a313002024e63fd0298f263f3a555ae2c1f5a6884e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
8c2e34ca99f05d9fd3f5e4fbe8fa52bc

SHA1
aede97bf87c364415e418cd2a2fef1377b5c16f9

SHA256
04c0e998afad308ef732a35460754ba7a70128a5edf49079c490b903a67d3f93

SHA512
8fffa1692c96be78d3caab9a095f002a32017ea4e6140ea4ef5cc67819d3da09e7194f470911050c4a74d2a676c37de7c5830343f43358d7fbf0a08b9f214592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0C2E4E9E-8A5D-4E26-A5D5-ED4D4339BC91}.FSD
Filesize
128KB

MD5
a4e5fd16ff5597f10e464158b9266d40

SHA1
e76d1f3247cfac0f6b551848df5e80bbd69561fe

SHA256
fad5568835b17dbf2da14f71ecf0744a004d096c1bc6072b9a915197f21d2b95

SHA512
7095edbcb8959bae9394a01c5976538ba2f0f2cb4ac7bc50bbdaf5cf98ddc4413021dee457b92c1bd9868660e2237ff703601a992e94a4dddc57eb187b9e4a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\bg[1].doc
Filesize
12KB

MD5
ba628c629f3472e3b57de14e3cdb05d2

SHA1
b492c03cb6824682d575a6b77e3c1c3b7755a331

SHA256
e399cdab404d5046aba55ff32346f96349d482763a3b1c633c9a8fb594f09a17

SHA512
41fd46f514437a823eef56dd83adf3e8e2f7270ca1a24734a3f639ba3f82db55c170d5056854832602d65e75f2d5772847fbd18e8f9531fc406e8aa62db63cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B07.tmp
Filesize
1KB

MD5
1ceb1788c847229f921cf27a602e7a55

SHA1
1d2b6e02e6c0a7949a6bce9d5379058fc07e0cfc

SHA256
fc47d872c799921b8e56959e9d8b894b822c54a515ca200633223f46f6d56541

SHA512
d6b39fc548bd9ca11ac2aa5447e56e7b04263b7ced840ab858948ca6bd21acd717b931dd16f2a5e0427005f03d088fe15766f1a33226a6ba1a9fee993651dc55

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D7B27D05-4816-4E66-8AFF-AC258304C043}
Filesize
128KB

MD5
a89830b02d38d0bcb5b6f647502cfda8

SHA1
f2c35616d70c6be50864395e4278065605dbd88a

SHA256
3402d77408eedf2eb33f3641caaf0557582bf6254b234b3870c977c55caaf153

SHA512
5c0c86473848161d588e84f3d8f2afba6bb45ecfef7d64b0882fe96e7b528ad2a1b4d50c37f1fb921004225a03f4789d9d681d696b9ada680bfac8a8c00bc1e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
a5b715d23dc73414945c461203a0b368

SHA1
bb0969750e0298f75beee848c2bf5433af322fc9

SHA256
40329570c7ff0c06816421240018ca8e2aea81fd157f0f5446f13e83033af6cb

SHA512
d35a5fb5b2879e6cbd26b0fd45903869fb51307d9536626dd08aac7fb2d1ad817fe0d36e9fba5904d26bf4839f6157c240aeac626eca5ea8dd3cfe8dd48853ea

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
131ff0ef35352e56cef2893ab1260c3d

SHA1
8cae139353e77e1e4bd08f86934160f9f23cffa9

SHA256
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b

SHA512
1b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
131ff0ef35352e56cef2893ab1260c3d

SHA1
8cae139353e77e1e4bd08f86934160f9f23cffa9

SHA256
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b

SHA512
1b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
131ff0ef35352e56cef2893ab1260c3d

SHA1
8cae139353e77e1e4bd08f86934160f9f23cffa9

SHA256
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b

SHA512
1b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.1MB

MD5
131ff0ef35352e56cef2893ab1260c3d

SHA1
8cae139353e77e1e4bd08f86934160f9f23cffa9

SHA256
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b

SHA512
1b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0

Download Submit
\Users\Public\vbc.exe
Filesize
1.1MB

MD5
131ff0ef35352e56cef2893ab1260c3d

SHA1
8cae139353e77e1e4bd08f86934160f9f23cffa9

SHA256
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b

SHA512
1b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0

Download Submit
\Users\Public\vbc.exe
Filesize
1.1MB

MD5
131ff0ef35352e56cef2893ab1260c3d

SHA1
8cae139353e77e1e4bd08f86934160f9f23cffa9

SHA256
8c428b36093ad04e27a3ad86f06c716a9de37b502428211ecc15466fda55068b

SHA512
1b58c4a27bff9b3c82e531da84b3a03a8aeead32b5bec9c58fb3053de750a303b59aff7625061db824f44cf43f8164c47f8b7b4b2a27066985d75f60649b43c0

Download Submit
memory/484-155-0x00000000055D0000-0x000000000567A000-memory.dmp

Filesize
680KB

Download
memory/484-145-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/484-154-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/484-144-0x0000000001030000-0x0000000001154000-memory.dmp

Filesize
1.1MB

Download
memory/484-146-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/484-161-0x0000000000C20000-0x0000000000C26000-memory.dmp

Filesize
24KB

Download
memory/484-164-0x0000000004670000-0x00000000046A2000-memory.dmp

Filesize
200KB

Download
memory/484-153-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/960-177-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/960-178-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/1396-207-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1396-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1640-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-173-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-175-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-176-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1640-169-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1640-180-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1640-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-170-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download