agenttesla | fc62c715d35b798f1f0d8e0b6c6c7c072d7f9513e53a8d81dd54d6f8abd1987a

Analysis

max time kernel
112s
max time network
103s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI.docx
Size

10KB
MD5

45de2abc12fcc5f27d9114096e630ab2
SHA1

262095d080b430dbba50d9ce90cfc9822952ad7d
SHA256

fc62c715d35b798f1f0d8e0b6c6c7c072d7f9513e53a8d81dd54d6f8abd1987a
SHA512

0d63da29f3274a988b54df0b0bda6fb0f2c35d56180a28941f4757d1eec40f72a791a1091aebf1a18a68c61aa9fdc281f5b528b0833f39e4c91cb2b271978990
SSDEEP

192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3YV:SPXU/slT+LOAHkZC9Y

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.huiijingco.com
Port:
587
Username:
m@huiijingco.com
Password:
lNLUrZT2

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/896-164-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/896-165-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/896-167-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/896-169-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/896-171-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/896-175-0x00000000049D0000-0x0000000004A10000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1968 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1968	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://392095676/97..........................97.......................doc	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1784 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1968 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1784	vbc.exe

pid	process
1968	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1784 set thread context of 896 1784 vbc.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

288 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1968 EQNEDT32.EXE

description	pid	process	target process
PID 1784 set thread context of 896	1784	vbc.exe	RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
288	schtasks.exe

pid	process
1968	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1320 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exeRegSvcs.exepowershell.exe

pid process

1784 vbc.exe
1784 vbc.exe
896 RegSvcs.exe
896 RegSvcs.exe
1076 powershell.exe

pid	process
1320	WINWORD.EXE

pid	process
1784	vbc.exe
1784	vbc.exe
896	RegSvcs.exe
896	RegSvcs.exe
1076	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeRegSvcs.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1784	vbc.exe
Token: SeDebugPrivilege	896	RegSvcs.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeShutdownPrivilege	1320	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1320 WINWORD.EXE
1320 WINWORD.EXE

pid	process
1320	WINWORD.EXE
1320	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1968 wrote to memory of 1784	1968	EQNEDT32.EXE	vbc.exe
PID 1968 wrote to memory of 1784	1968	EQNEDT32.EXE	vbc.exe
PID 1968 wrote to memory of 1784	1968	EQNEDT32.EXE	vbc.exe
PID 1968 wrote to memory of 1784	1968	EQNEDT32.EXE	vbc.exe
PID 1320 wrote to memory of 1644	1320	WINWORD.EXE	splwow64.exe
PID 1320 wrote to memory of 1644	1320	WINWORD.EXE	splwow64.exe
PID 1320 wrote to memory of 1644	1320	WINWORD.EXE	splwow64.exe
PID 1320 wrote to memory of 1644	1320	WINWORD.EXE	splwow64.exe
PID 1784 wrote to memory of 1076	1784	vbc.exe	powershell.exe
PID 1784 wrote to memory of 1076	1784	vbc.exe	powershell.exe
PID 1784 wrote to memory of 1076	1784	vbc.exe	powershell.exe
PID 1784 wrote to memory of 1076	1784	vbc.exe	powershell.exe
PID 1784 wrote to memory of 288	1784	vbc.exe	schtasks.exe
PID 1784 wrote to memory of 288	1784	vbc.exe	schtasks.exe
PID 1784 wrote to memory of 288	1784	vbc.exe	schtasks.exe
PID 1784 wrote to memory of 288	1784	vbc.exe	schtasks.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe
PID 1784 wrote to memory of 896	1784	vbc.exe	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1644

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dnQFLCEmWnEf.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dnQFLCEmWnEf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1AB3.tmp"
3⤵
- Creates scheduled task(s)
PID:288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{10A7D58C-1C5A-40B1-88E8-A16B3A8E9DE8}.FSD
Filesize
128KB

MD5
65a3a33dbf175b9da5aa49611c7123c8

SHA1
03422f9695df057316c3a9eca6c5e7b49ffe0a86

SHA256
315851bbc1b31390c9cb8cffdb4dd1e718f6427c77f2f093a8eb2dd67a2be0ac

SHA512
3b0b152ad3c611952898ecffed207680f94f285bbfa509e90676d1cf3bd013a1c15883f8a18840f183afc3f521d78ebcc922bee001a12072e8971d802ac1a20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
38eaaacb47b30f0c6837a12695848f4e

SHA1
6c6805b064ff385bc3590558771e668dfb68cf45

SHA256
e8c1b4555593ebf0d968907d822bec1a22d2508caf9b359735db080ddae303f9

SHA512
20befbb76c72fc7362ba1c68c7852c0ab5d9ff0e70e52b12fb7bc7bb4f7804cc8801177bce8b66df12547e8e62ee128ae3ab179798c423382e1621140b6fda53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\97..........................97[1].doc
Filesize
14KB

MD5
9d7082961f5f3573a91e9b74d03e9fae

SHA1
f9e589ba07c52dbd7c067982637bb4d84d161667

SHA256
be3c88032ae6e9431d86e4d9209b0fbe2f157b3a8539cc3d3afb60f1985b8762

SHA512
63dc7f9130979af45a3102735f44afea7ad996afa374caaf525330b0870604ef5d292a8495c9c5c0888162050cbc33d101835a9e86f0af3ec44bd74752f47786

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AB3.tmp
Filesize
1KB

MD5
9d20e46f62756741d475e849b0e474d3

SHA1
11f79e4c7131b306d426a868962b544b6971573e

SHA256
47d5cf232e02ec505e32cde437e7daf4aaad740ea7e41ecd6758305dbec50f88

SHA512
60d66d17af466c2807e0a6a0d772a8fe1d24fe48337699fc6c6147e58fad0bb70ddfbf8683449d822c1c4a9379509620af5abf71d125044ac2e3ded818b8a802

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3F12D425-284D-493B-87BE-9CBCDDFD68D3}
Filesize
128KB

MD5
2e7185bf9c1bd28b08e3210a1f0f2b6a

SHA1
9a3dab5e95907e2fb7816ec43cd8c80abda090ba

SHA256
404337cf019757924673806679584597df3eebdb616c6f3b730bd81aba88be5b

SHA512
c53100bde69392fd2a3d3050a9892586cea028fb423ff79c57b9faff1a8ad07a82146a6b9c12661679c97a138c2aced9cb09e7e477da78b4225a47c73779e79e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
99B

MD5
2e3372b813fe7b1dac8dfb5d33a94e64

SHA1
8c02aa6f2cc68c34ab11736a45de19b74dcd4ccc

SHA256
5b1c0f06440b3674fae83343a44e555e6980cb32b1a92b6c8f509d325ca29540

SHA512
f0a5b83ec6659748260e6aa621ac140d21b034d8a5f0273fa428d211cd04e922b3c293bec69dca65fb277892151ca299a59e58562fe9fd2d78d97743ecad3fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
e210b6590c7a0359b27c1edf1d89a988

SHA1
cc4f4c17cb93e8e9e4c8df001b0c442fff02adaf

SHA256
e385e15d54971684ae682cb20487947a3e79fac187495903a4c347861770b21f

SHA512
9206fe4f167942b3881044051152be1de19da45975a9a457a3c80d39c37e6df540743e2ed6e52fc8f6c0c1f5b778de47445d265dc9eae7144bdeffc88a84b3c0

Download Submit
C:\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
C:\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
C:\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
memory/896-172-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/896-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-175-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/896-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/896-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/896-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-174-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/1076-173-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/1320-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1320-202-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1784-158-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/1784-150-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1784-159-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/1784-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-144-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1784-152-0x0000000005A20000-0x0000000005AFA000-memory.dmp

Filesize
872KB

Download
memory/1784-142-0x00000000011F0000-0x00000000012E4000-memory.dmp

Filesize
976KB

Download
memory/1784-151-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download