Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-03-2023 13:05
Static task
static1
Behavioral task
behavioral1
Sample
SOA FEB 5400005716.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA FEB 5400005716.docx
Resource
win10v2004-20230220-en
General
-
Target
SOA FEB 5400005716.docx
-
Size
10KB
-
MD5
90612ab017d9b62b0845de6b196a10f5
-
SHA1
679287fd3b0389e47cced0fca528b3bb0bbe94c6
-
SHA256
33a34f4bad59e1c90a3fa5f4239abf5f5f13080e7ec71c09cdf11088e9c5cd8c
-
SHA512
ee6395170cf4187379df05f1beab7449af8e37109a3524b4f89f0dcadc1ecea1515c8e31847ac93711f82118b86403335bd0bc58cb848bc7461b724821d5fa28
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOmlvzl+CVWBXJC0c325:SPXU/slT+LOQHkZC96
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.flexotechproducts.in - Port:
587 - Username:
accounts1@flexotechproducts.in - Password:
@Products$24 - Email To:
benard.rnuthuri@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 308 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221450129/wu.......................wu...................doc WINWORD.EXE -
Executes dropped EXE 4 IoCs
Processes:
vbc.exevbc.exevbc.exevbc.exepid process 1640 vbc.exe 1688 vbc.exe 1000 vbc.exe 1580 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 308 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNGtqM = "C:\\Users\\Admin\\AppData\\Roaming\\PNGtqM\\PNGtqM.exe" vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1640 set thread context of 1580 1640 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1204 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
vbc.exepowershell.exepid process 1640 vbc.exe 1640 vbc.exe 1640 vbc.exe 1640 vbc.exe 1640 vbc.exe 1640 vbc.exe 1116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exepowershell.exedescription pid process Token: SeDebugPrivilege 1640 vbc.exe Token: SeDebugPrivilege 1580 vbc.exe Token: SeDebugPrivilege 1116 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEvbc.exepid process 1204 WINWORD.EXE 1204 WINWORD.EXE 1580 vbc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 308 wrote to memory of 1640 308 EQNEDT32.EXE vbc.exe PID 308 wrote to memory of 1640 308 EQNEDT32.EXE vbc.exe PID 308 wrote to memory of 1640 308 EQNEDT32.EXE vbc.exe PID 308 wrote to memory of 1640 308 EQNEDT32.EXE vbc.exe PID 1204 wrote to memory of 1524 1204 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 1524 1204 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 1524 1204 WINWORD.EXE splwow64.exe PID 1204 wrote to memory of 1524 1204 WINWORD.EXE splwow64.exe PID 1640 wrote to memory of 1116 1640 vbc.exe powershell.exe PID 1640 wrote to memory of 1116 1640 vbc.exe powershell.exe PID 1640 wrote to memory of 1116 1640 vbc.exe powershell.exe PID 1640 wrote to memory of 1116 1640 vbc.exe powershell.exe PID 1640 wrote to memory of 1336 1640 vbc.exe schtasks.exe PID 1640 wrote to memory of 1336 1640 vbc.exe schtasks.exe PID 1640 wrote to memory of 1336 1640 vbc.exe schtasks.exe PID 1640 wrote to memory of 1336 1640 vbc.exe schtasks.exe PID 1640 wrote to memory of 1688 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1688 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1688 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1688 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1000 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1000 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1000 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1000 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe PID 1640 wrote to memory of 1580 1640 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA FEB 5400005716.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\keRXZQSqL.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\keRXZQSqL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp122B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D6DA33E8-DA7A-4E83-ADAB-3EF919FD7A3D}.FSDFilesize
128KB
MD5f036cf37389f405f7082e75c9ff64630
SHA1f83f506c4ebbc2339a740e0143eef499bca78cec
SHA25625a8bcce677b7decaf238d481f52bd22f7b1896d70bc0509df9d2a5278741b8a
SHA512c2a154ced1a82c66e116f2c4f8e1d118605919fc291f7bf9106e2e13231d16d21e60d4973a00de000748f9de580dde4010c94253447d948c8c269c4198ae5e04
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD549906bd301b40c26931e0bf33cdefac7
SHA1722aa8498c0dde12d57b424d0577d615a21c0d37
SHA2566696ff7eb51f5103643f5e729eeacb9fc0a1f4b8fc4746120577cb4ed0690db8
SHA51296a680969757548461f7a4a07cec0a729cf3d2659e831e219cecd1cda4bea5fda8083acf941c8a4fbc479159ee99af61c1154bbe83e64bd4a93b339bea235eb3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\wu.......................wu[1].docFilesize
14KB
MD5e8597e58b548398887143df2e686e75a
SHA12e2ae49625da9c486b33679c2b670d3ed91fe264
SHA256ff8a98f618cc568b85dce1bed031b10686572fe0a2ebee71697d8e27c15a27ee
SHA512550aa1272da29c7236a1d8a1c304b2d95fe19d35c88a5a59ce194bc60ad74c5946e6ec1df2faf13d3c6aefe3d3beab1996a559dbdeaa2bea514c23629a0ace02
-
C:\Users\Admin\AppData\Local\Temp\tmp122B.tmpFilesize
1KB
MD506052b88dad5095817b7357c9f8f1827
SHA1b9d05995cfabb273b940d1b3992c94766450a440
SHA256c9e5921d169e3ee52d44583f65983153a15eaf3c123539e9f7332b6a0a835f3d
SHA5123ab3c611aa553618b6ef92e53e3d5e2c608325fb272aa4904af8e3a01e17d1ab0f6e126e156b2914b2fe8ab14b789a0bc7d162c3b40326a9f3a1e33f26a4225e
-
C:\Users\Admin\AppData\Local\Temp\{7EDF5E37-1A7B-4E77-A5FB-1E19ADB82102}Filesize
128KB
MD56cf9d7da23018e45553158fde9bab0ee
SHA1588cab359ece2cda8f83861bccef0001310c1bb5
SHA2563a100c25d954ab5860b1684eee7961d83a696895dffc85c31c670574badff6dd
SHA512fe6e9cd2016872056be7eb82d05a413174efdf3eee515b7f8fa9f34ddc00d588790753c5ce75e04da01f91536c069dbcacbf872689303b46e2863499f4e68bbe
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
C:\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
\Users\Public\vbc.exeFilesize
1.1MB
MD51fb0cd15b8150e5dfb87c8c78e679612
SHA1c53df088adbdc3f46e6a740a6ef5a856b74d252d
SHA25664419f99685683534332b5e140e29718e303936b67c86021e111126a6428bfe0
SHA512aa8ac207134f21e8222f7c7928b952ff253a446847b3dad1e670d23bbfe13abe15ab99a1140a3a57a27d3cb44d3f44a15906cbdc5aadb6b16b6887b71c39d93d
-
memory/1116-175-0x0000000001CD0000-0x0000000001D10000-memory.dmpFilesize
256KB
-
memory/1116-176-0x0000000001CD0000-0x0000000001D10000-memory.dmpFilesize
256KB
-
memory/1204-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1580-168-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1580-174-0x0000000004FC0000-0x0000000005000000-memory.dmpFilesize
256KB
-
memory/1580-195-0x0000000004FC0000-0x0000000005000000-memory.dmpFilesize
256KB
-
memory/1580-167-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1580-166-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1580-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1580-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1580-163-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1580-173-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1580-171-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1640-143-0x0000000000A30000-0x0000000000A44000-memory.dmpFilesize
80KB
-
memory/1640-150-0x0000000004A70000-0x0000000004AB0000-memory.dmpFilesize
256KB
-
memory/1640-151-0x0000000000A80000-0x0000000000A8C000-memory.dmpFilesize
48KB
-
memory/1640-160-0x0000000005300000-0x0000000005332000-memory.dmpFilesize
200KB
-
memory/1640-142-0x0000000004A70000-0x0000000004AB0000-memory.dmpFilesize
256KB
-
memory/1640-141-0x0000000000AB0000-0x0000000000BC8000-memory.dmpFilesize
1.1MB
-
memory/1640-152-0x00000000058F0000-0x000000000599C000-memory.dmpFilesize
688KB