Analysis
-
max time kernel
102s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 02:23
Static task
static1
Behavioral task
behavioral1
Sample
016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.rtf
Resource
win10v2004-20230220-en
General
-
Target
016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.rtf
-
Size
35KB
-
MD5
c5f03dfe714e81188bc7c6a681b48147
-
SHA1
3fa716a9f1781eb63de8987d0a176c840643c3f9
-
SHA256
016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3
-
SHA512
781bdad3e8643ba187110b153cc8982c2809cb0ba0346a9c90a7121be5e583b719b22e5d404ee405812c0cce1355b2485a9b25b120c2ac0d025acd996e6838fa
-
SSDEEP
768:7Fx0XaIsnPRIa4fwJMJhpUMEuKNzE9apsX2RSbRqPqBhvb/d1:7f0Xvx3EM9zElNzDsNBtb/r
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ungaplc.com - Port:
587 - Username:
info@ungaplc.com - Password:
Maco@2022@ - Email To:
afnrobertaol@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 876 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ugopoundtek3672.exeugopoundtek3672.exepid process 1820 ugopoundtek3672.exe 1788 ugopoundtek3672.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 876 EQNEDT32.EXE 876 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ugopoundtek3672.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ugopoundtek3672.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ugopoundtek3672.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ugopoundtek3672.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ugopoundtek3672.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKQShz = "C:\\Users\\Admin\\AppData\\Roaming\\TKQShz\\TKQShz.exe" ugopoundtek3672.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ugopoundtek3672.exedescription pid process target process PID 1820 set thread context of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1296 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ugopoundtek3672.exedescription pid process Token: SeDebugPrivilege 1788 ugopoundtek3672.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEugopoundtek3672.exepid process 1296 WINWORD.EXE 1296 WINWORD.EXE 1788 ugopoundtek3672.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEugopoundtek3672.exedescription pid process target process PID 876 wrote to memory of 1820 876 EQNEDT32.EXE ugopoundtek3672.exe PID 876 wrote to memory of 1820 876 EQNEDT32.EXE ugopoundtek3672.exe PID 876 wrote to memory of 1820 876 EQNEDT32.EXE ugopoundtek3672.exe PID 876 wrote to memory of 1820 876 EQNEDT32.EXE ugopoundtek3672.exe PID 1296 wrote to memory of 1728 1296 WINWORD.EXE splwow64.exe PID 1296 wrote to memory of 1728 1296 WINWORD.EXE splwow64.exe PID 1296 wrote to memory of 1728 1296 WINWORD.EXE splwow64.exe PID 1296 wrote to memory of 1728 1296 WINWORD.EXE splwow64.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe PID 1820 wrote to memory of 1788 1820 ugopoundtek3672.exe ugopoundtek3672.exe -
outlook_office_path 1 IoCs
Processes:
ugopoundtek3672.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ugopoundtek3672.exe -
outlook_win_path 1 IoCs
Processes:
ugopoundtek3672.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ugopoundtek3672.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe"C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe"C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD52bd5f8a8465235d5b6b2d8cabf3d1846
SHA11f20270fe817bb3480659877cbd67dda37c7b73a
SHA25692d27f8dfc6e6dcdd53e03cc8702b814ce6bc710163f9bd62008dd4882843d22
SHA5120ed333b63ea674481f0bfc57462182bb68bf3edf0577821e14487129112a4e6b077116eb85a2e73aeabe85544ac64bd184e385ec72c173d021ade5a363403221
-
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exeFilesize
795KB
MD54519de9e3f5efd9400ddfdea287b5daf
SHA13caede68f0bd9e89b241c73064dd75a29095b422
SHA2566c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
SHA512656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c
-
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exeFilesize
795KB
MD54519de9e3f5efd9400ddfdea287b5daf
SHA13caede68f0bd9e89b241c73064dd75a29095b422
SHA2566c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
SHA512656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c
-
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exeFilesize
795KB
MD54519de9e3f5efd9400ddfdea287b5daf
SHA13caede68f0bd9e89b241c73064dd75a29095b422
SHA2566c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
SHA512656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c
-
C:\Users\Admin\AppData\Roaming\ugopoundtek3672.exeFilesize
795KB
MD54519de9e3f5efd9400ddfdea287b5daf
SHA13caede68f0bd9e89b241c73064dd75a29095b422
SHA2566c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
SHA512656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c
-
\Users\Admin\AppData\Roaming\ugopoundtek3672.exeFilesize
795KB
MD54519de9e3f5efd9400ddfdea287b5daf
SHA13caede68f0bd9e89b241c73064dd75a29095b422
SHA2566c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
SHA512656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c
-
\Users\Admin\AppData\Roaming\ugopoundtek3672.exeFilesize
795KB
MD54519de9e3f5efd9400ddfdea287b5daf
SHA13caede68f0bd9e89b241c73064dd75a29095b422
SHA2566c8b93bdd0153dfe2c4ff9e4c758ec44f3e01fbb77cb54b51e7ed07efa734a44
SHA512656a759aee1b28d470bf32368e4d0372786515a1477730e3e790e642242ec4d801180361ff79af85d7d99164e6686823ebb85ee36ccbd612065d5a14d389004c
-
memory/1296-134-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1296-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1788-113-0x0000000004F50000-0x0000000004F90000-memory.dmpFilesize
256KB
-
memory/1788-93-0x0000000004F50000-0x0000000004F90000-memory.dmpFilesize
256KB
-
memory/1788-90-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1788-92-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1788-82-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1788-85-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1788-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1788-84-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1788-83-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1788-87-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1820-70-0x0000000000F80000-0x000000000104C000-memory.dmpFilesize
816KB
-
memory/1820-81-0x0000000000CD0000-0x0000000000D02000-memory.dmpFilesize
200KB
-
memory/1820-80-0x0000000005660000-0x000000000570A000-memory.dmpFilesize
680KB
-
memory/1820-79-0x00000000009E0000-0x00000000009EC000-memory.dmpFilesize
48KB
-
memory/1820-77-0x0000000004F20000-0x0000000004F60000-memory.dmpFilesize
256KB
-
memory/1820-76-0x0000000000710000-0x0000000000730000-memory.dmpFilesize
128KB
-
memory/1820-71-0x0000000004F20000-0x0000000004F60000-memory.dmpFilesize
256KB