agenttesla | fc62c715d35b798f1f0d8e0b6c6c7c072d7f9513e53a8d81dd54d6f8abd1987a

Analysis

max time kernel
128s
max time network
105s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI.docx
Size

10KB
MD5

45de2abc12fcc5f27d9114096e630ab2
SHA1

262095d080b430dbba50d9ce90cfc9822952ad7d
SHA256

fc62c715d35b798f1f0d8e0b6c6c7c072d7f9513e53a8d81dd54d6f8abd1987a
SHA512

0d63da29f3274a988b54df0b0bda6fb0f2c35d56180a28941f4757d1eec40f72a791a1091aebf1a18a68c61aa9fdc281f5b528b0833f39e4c91cb2b271978990
SSDEEP

192:ScIMmtP1aIG/bslPL++uOAl+CVWBXJC0c3YV:SPXU/slT+LOAHkZC9Y

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.huiijingco.com
Port:
587
Username:
m@huiijingco.com
Password:
lNLUrZT2

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/824-164-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/824-165-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/824-167-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/824-169-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/824-171-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1760-172-0x0000000002570000-0x00000000025B0000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

10 980 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
10	980	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://392095676/97..........................97.......................doc	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

696 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

980 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
696	vbc.exe

pid	process
980	EQNEDT32.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 696 set thread context of 824 696 vbc.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

772 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

980 EQNEDT32.EXE

description	pid	process	target process
PID 696 set thread context of 824	696	vbc.exe	RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
772	schtasks.exe

pid	process
980	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exeRegSvcs.exepowershell.exe

pid process

696 vbc.exe
696 vbc.exe
824 RegSvcs.exe
824 RegSvcs.exe
1760 powershell.exe

pid	process
1728	WINWORD.EXE

pid	process
696	vbc.exe
696	vbc.exe
824	RegSvcs.exe
824	RegSvcs.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeRegSvcs.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	696	vbc.exe
Token: SeDebugPrivilege	824	RegSvcs.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeShutdownPrivilege	1728	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1728 WINWORD.EXE
1728 WINWORD.EXE

pid	process
1728	WINWORD.EXE
1728	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 980 wrote to memory of 696	980	EQNEDT32.EXE	vbc.exe
PID 980 wrote to memory of 696	980	EQNEDT32.EXE	vbc.exe
PID 980 wrote to memory of 696	980	EQNEDT32.EXE	vbc.exe
PID 980 wrote to memory of 696	980	EQNEDT32.EXE	vbc.exe
PID 1728 wrote to memory of 1132	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 1132	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 1132	1728	WINWORD.EXE	splwow64.exe
PID 1728 wrote to memory of 1132	1728	WINWORD.EXE	splwow64.exe
PID 696 wrote to memory of 1760	696	vbc.exe	powershell.exe
PID 696 wrote to memory of 1760	696	vbc.exe	powershell.exe
PID 696 wrote to memory of 1760	696	vbc.exe	powershell.exe
PID 696 wrote to memory of 1760	696	vbc.exe	powershell.exe
PID 696 wrote to memory of 772	696	vbc.exe	schtasks.exe
PID 696 wrote to memory of 772	696	vbc.exe	schtasks.exe
PID 696 wrote to memory of 772	696	vbc.exe	schtasks.exe
PID 696 wrote to memory of 772	696	vbc.exe	schtasks.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe
PID 696 wrote to memory of 824	696	vbc.exe	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1132

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dnQFLCEmWnEf.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dnQFLCEmWnEf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BEF.tmp"
3⤵
- Creates scheduled task(s)
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{05B1DA15-CDBA-48AE-ACA2-F81E2C3F56F3}.FSD
Filesize
128KB

MD5
b99f5fb0b0f6fa7077b839aa3ed6046d

SHA1
0812bc97e909e9956f71000cd59369bf117e775d

SHA256
54c74d4527c71965108c9dac27ea86fe322300a7f5d68d4fc46b3c5e2c5a5e3f

SHA512
70744594f9f5ebf369658d2b1aad6719152a9e7f55424bd7e82102c1e3aa0eea0c2fd6e6a10a4485cac5116f0c5f5d059d1b5ff0c28b647db677837bd50df51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
f4a2b556016209bf7f4c2a47c00fd70d

SHA1
6824f4d45fffd0f8d2f1d9f9385a187e63061108

SHA256
24e6c051f57e737bc1f5fb530bc3c56ada8422bfde22d4041de18650778a2442

SHA512
9d2f33c60aaf98138739c78d622a4fabf38dfcc5828b2d89c17249f675ad07d4871b2b54af6d9387eb6bdf5254cb0aa459db3301a34efabf6842858221a0d046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{2BEBBAF1-E6E2-41ED-B93C-388A969293EE}.FSD
Filesize
128KB

MD5
a1b7bba297ffd18f74c63602d9c66b9a

SHA1
af33970b1729d8b3747aca0ea1d550a0eec8bb04

SHA256
00d92b3fd3d313695bfa86fd5ec623e624bac8eea913c2f419370a2e852003ff

SHA512
c1ae64f5f8c82be59f663b324a1a1f217063656655b2cf7a345c8608c1d0611e20e4eca1c0da3499696a2b2f37b6422c88f007e94adbc7a2f2212a6e6518a3ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\97..........................97[1].doc
Filesize
14KB

MD5
9d7082961f5f3573a91e9b74d03e9fae

SHA1
f9e589ba07c52dbd7c067982637bb4d84d161667

SHA256
be3c88032ae6e9431d86e4d9209b0fbe2f157b3a8539cc3d3afb60f1985b8762

SHA512
63dc7f9130979af45a3102735f44afea7ad996afa374caaf525330b0870604ef5d292a8495c9c5c0888162050cbc33d101835a9e86f0af3ec44bd74752f47786

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BEF.tmp
Filesize
1KB

MD5
fea03c1e1462e6ac64ead51293961eeb

SHA1
e76264d34b15f2cb16eef2e728ff8aa4c6ea5ea3

SHA256
d1f26f78e247eecae1415534338a26c8d91567c88d04b955c86bc38a8de5c4a1

SHA512
500dfdc09c0978180e5284d89592ff22b19dfcc2b0132c39cd965a1d49f370388b0fdcd57ab03a28629d207711aa866fe2c491841a5a26dba5e1cdd9d8f25163

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BD86F1FD-E197-4266-A018-41D824D5FEB8}
Filesize
128KB

MD5
86709f4dfe86e0465bcff2b5fb314c12

SHA1
9817f1c91554d9e6f9da399a6cf2ff9da0555ef6

SHA256
f6aa455aa905d6ead10e548a4345c9d48d8b6942db1b5bd96f46bdbe0993a6b6

SHA512
ee0a2e2ee90de5bb03ada592c06cd5090cabc0f4f5c1d3f318607648fbdcc2ceddecb3e9b6156495f090702ad897604ed790200db70294cb7069f66a5db27516

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
c6a0a935f6ca34cc87b3b501e47dc545

SHA1
e52527b91331b47f99f3ea8a7ac3ba857e97e3d8

SHA256
f9bf6aeccfe959c9c05fea8ec1b84cb42533b0281ff741c372ed01d45b4ee98f

SHA512
6ed2854c63afb9ac73063073ada06a9500308a1b5ef912183766e6d367c8dc9a7998312b7d9378879a0cd9cbeddadecf5a59bbd59dc445e69ac943aa106d977e

Download Submit
C:\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
C:\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
C:\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
\Users\Public\vbc.exe
Filesize
952KB

MD5
9dd97b3380058856a357c1f1185459e5

SHA1
03265ace06f8556bc9778f6ec9a7d41f25aa1544

SHA256
ffd22ff93a2dcc371fd090f4855494e14ebdd61fbd1c4995a31b3dfb74bade9b

SHA512
cef0de270220546566cb4097ae370402209ad4955959356a9c271dcda751d7ae183e82a155de4d6ea1530be765709b27607adce615581c9d0b444c494c02697e

Download Submit
memory/696-151-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/696-145-0x00000000004D0000-0x00000000004EE000-memory.dmp

Filesize
120KB

Download
memory/696-150-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/696-142-0x0000000000B00000-0x0000000000BF4000-memory.dmp

Filesize
976KB

Download
memory/696-152-0x0000000005A40000-0x0000000005B1A000-memory.dmp

Filesize
872KB

Download
memory/696-143-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/696-158-0x0000000004720000-0x0000000004728000-memory.dmp

Filesize
32KB

Download
memory/696-161-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/824-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-164-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/824-165-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1728-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1728-200-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-172-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1760-173-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download