agenttesla | 90f27e90f713d19d2cdef8defe1cff2f88dfdbde1d27197cf7f64b5aadae5eee

General

Target

016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.rtf
Size

35KB
MD5

c5f03dfe714e81188bc7c6a681b48147
SHA1

3fa716a9f1781eb63de8987d0a176c840643c3f9
SHA256

016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3
SHA512

781bdad3e8643ba187110b153cc8982c2809cb0ba0346a9c90a7121be5e583b719b22e5d404ee405812c0cce1355b2485a9b25b120c2ac0d025acd996e6838fa
SSDEEP

768:7Fx0XaIsnPRIa4fwJMJhpUMEuKNzE9apsX2RSbRqPqBhvb/d1:7f0Xvx3EM9zElNzDsNBtb/r

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.ungaplc.com
Port:
587
Username:
info@ungaplc.com
Password:
Maco@2022@
Email To:
afnrobertaol@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

3 876 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ugopoundtek3672.exeugopoundtek3672.exe

pid process

1820 ugopoundtek3672.exe
1788 ugopoundtek3672.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

876 EQNEDT32.EXE
876 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
3	876	EQNEDT32.EXE

pid	process
1820	ugopoundtek3672.exe
1788	ugopoundtek3672.exe

pid	process
876	EQNEDT32.EXE
876	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ugopoundtek3672.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ugopoundtek3672.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ugopoundtek3672.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ugopoundtek3672.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ugopoundtek3672.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKQShz = "C:\\Users\\Admin\\AppData\\Roaming\\TKQShz\\TKQShz.exe"	ugopoundtek3672.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

ugopoundtek3672.exe

description pid process target process

PID 1820 set thread context of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

876 EQNEDT32.EXE

flow	ioc
5	api.ipify.org
6	api.ipify.org

description	pid	process	target process
PID 1820 set thread context of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
876	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1296 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ugopoundtek3672.exe

description pid process

Token: SeDebugPrivilege 1788 ugopoundtek3672.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEugopoundtek3672.exe

pid process

1296 WINWORD.EXE
1296 WINWORD.EXE
1788 ugopoundtek3672.exe

pid	process
1296	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1788	ugopoundtek3672.exe

pid	process
1296	WINWORD.EXE
1296	WINWORD.EXE
1788	ugopoundtek3672.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEugopoundtek3672.exe

description	pid	process	target process
PID 876 wrote to memory of 1820	876	EQNEDT32.EXE	ugopoundtek3672.exe
PID 876 wrote to memory of 1820	876	EQNEDT32.EXE	ugopoundtek3672.exe
PID 876 wrote to memory of 1820	876	EQNEDT32.EXE	ugopoundtek3672.exe
PID 876 wrote to memory of 1820	876	EQNEDT32.EXE	ugopoundtek3672.exe
PID 1296 wrote to memory of 1728	1296	WINWORD.EXE	splwow64.exe
PID 1296 wrote to memory of 1728	1296	WINWORD.EXE	splwow64.exe
PID 1296 wrote to memory of 1728	1296	WINWORD.EXE	splwow64.exe
PID 1296 wrote to memory of 1728	1296	WINWORD.EXE	splwow64.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe
PID 1820 wrote to memory of 1788	1820	ugopoundtek3672.exe	ugopoundtek3672.exe

outlook_office_path 1 IoCs

Processes:

ugopoundtek3672.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ugopoundtek3672.exe

outlook_win_path 1 IoCs

Processes:

ugopoundtek3672.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ugopoundtek3672.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1728

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
"C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
"C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
2bd5f8a8465235d5b6b2d8cabf3d1846

SHA1
1f20270fe817bb3480659877cbd67dda37c7b73a

SHA256
92d27f8dfc6e6dcdd53e03cc8702b814ce6bc710163f9bd62008dd4882843d22

SHA512
0ed333b63ea674481f0bfc57462182bb68bf3edf0577821e14487129112a4e6b077116eb85a2e73aeabe85544ac64bd184e385ec72c173d021ade5a363403221

Download Submit
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
Filesize
795KB

MD5
4519de9e3f5efd9400ddfdea287b5daf

SHA1
3caede68f0bd9e89b241c73064dd75a29095b422

SHA256
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44

SHA512
656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c

Download Submit
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
Filesize
795KB

MD5
4519de9e3f5efd9400ddfdea287b5daf

SHA1
3caede68f0bd9e89b241c73064dd75a29095b422

SHA256
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44

SHA512
656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c

Download Submit
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
Filesize
795KB

MD5
4519de9e3f5efd9400ddfdea287b5daf

SHA1
3caede68f0bd9e89b241c73064dd75a29095b422

SHA256
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44

SHA512
656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c

Download Submit
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
Filesize
795KB

MD5
4519de9e3f5efd9400ddfdea287b5daf

SHA1
3caede68f0bd9e89b241c73064dd75a29095b422

SHA256
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44

SHA512
656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c

Download Submit
\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
Filesize
795KB

MD5
4519de9e3f5efd9400ddfdea287b5daf

SHA1
3caede68f0bd9e89b241c73064dd75a29095b422

SHA256
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44

SHA512
656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c

Download Submit
\Users\Admin\AppData\Roaming\ugopoundtek3672.exe
Filesize
795KB

MD5
4519de9e3f5efd9400ddfdea287b5daf

SHA1
3caede68f0bd9e89b241c73064dd75a29095b422

SHA256
6c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44

SHA512
656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c

Download Submit
memory/1296-134-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1296-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1788-113-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1788-93-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/1788-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1788-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1788-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1788-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1788-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1788-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1788-83-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1788-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1820-70-0x0000000000F80000-0x000000000104C000-memory.dmp

Filesize
816KB

Download
memory/1820-81-0x0000000000CD0000-0x0000000000D02000-memory.dmp

Filesize
200KB

Download
memory/1820-80-0x0000000005660000-0x000000000570A000-memory.dmp

Filesize
680KB

Download
memory/1820-79-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1820-77-0x0000000004F20000-0x0000000004F60000-memory.dmp

Filesize
256KB

Download
memory/1820-76-0x0000000000710000-0x0000000000730000-memory.dmp

Filesize
128KB

Download
memory/1820-71-0x0000000004F20000-0x0000000004F60000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads