Analysis
-
max time kernel
103s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 07:16
Static task
static1
Behavioral task
behavioral1
Sample
SOA MARCH.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA MARCH.docx
Resource
win10v2004-20230220-en
General
-
Target
SOA MARCH.docx
-
Size
10KB
-
MD5
5fbdc2fd7b9fcf00d75d57db95a45780
-
SHA1
b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4
-
SHA256
973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3
-
SHA512
e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1492 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221484439/31....................31.................doc WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 616 vbc.exe 624 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1492 EQNEDT32.EXE 1492 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\eubJfun = "C:\\Users\\Admin\\AppData\\Roaming\\eubJfun\\eubJfun.exe" vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 616 set thread context of 624 616 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1236 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepowershell.exepid process 616 vbc.exe 616 vbc.exe 932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exevbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 616 vbc.exe Token: SeDebugPrivilege 624 vbc.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeShutdownPrivilege 1236 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1236 WINWORD.EXE 1236 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1492 wrote to memory of 616 1492 EQNEDT32.EXE vbc.exe PID 1492 wrote to memory of 616 1492 EQNEDT32.EXE vbc.exe PID 1492 wrote to memory of 616 1492 EQNEDT32.EXE vbc.exe PID 1492 wrote to memory of 616 1492 EQNEDT32.EXE vbc.exe PID 1236 wrote to memory of 860 1236 WINWORD.EXE splwow64.exe PID 1236 wrote to memory of 860 1236 WINWORD.EXE splwow64.exe PID 1236 wrote to memory of 860 1236 WINWORD.EXE splwow64.exe PID 1236 wrote to memory of 860 1236 WINWORD.EXE splwow64.exe PID 616 wrote to memory of 932 616 vbc.exe powershell.exe PID 616 wrote to memory of 932 616 vbc.exe powershell.exe PID 616 wrote to memory of 932 616 vbc.exe powershell.exe PID 616 wrote to memory of 932 616 vbc.exe powershell.exe PID 616 wrote to memory of 2012 616 vbc.exe schtasks.exe PID 616 wrote to memory of 2012 616 vbc.exe schtasks.exe PID 616 wrote to memory of 2012 616 vbc.exe schtasks.exe PID 616 wrote to memory of 2012 616 vbc.exe schtasks.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe PID 616 wrote to memory of 624 616 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA MARCH.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RnzqvRAlVCaDTf.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RnzqvRAlVCaDTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp926.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D132509C-2F83-4F03-A9AA-348470AA7DBC}.FSDFilesize
128KB
MD5d33ade8ee2cb6891ea86f3d601b74280
SHA158e2681617a32ef96242a6f2c11af386c9cd46d2
SHA2561d2d14b19790110a673e6781ee2f3fbda09e5495f8c03e7c1820133f9f81bb0a
SHA51295102b56eb99fb258dc2b6d891c9d2bd3922e7e28005256cf480d29c1d3737bcc99815c149552f42c0c3cad94af9712ebee3b5be4dc9c00511a21e39b46079f4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD532f1571983e9174dae53369573b90b5e
SHA186c4baa3f371cf818b5b19a4d21c1c8046df296e
SHA256777a01817cb85c3ab11211e7c4ad42f3fcd8fe3a2c7fe194a5763f9df335cfe6
SHA512eefa983dab340e951708b9fd483782502b0018a4d21701492d3232cbc96b78684f412eadf3f46bba0448ac8dec34093b58429c5a92d08a5b3f15d2feda2a3e39
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{003728B6-EC34-4C56-859B-9988EFBB9FF7}.FSDFilesize
128KB
MD5fe34a13a221d04e247f0d63e77db2c46
SHA199498a3f197353c7d34ad070bd439f928b4a0f0c
SHA2561b8da31ed1fc2cce7b4ba183cfb0b1108010ebf3488af54d3f5747f2211db343
SHA512c4deecd0cbf0d421aaf35330ba0f431b02364c1b0bb8360ff7dfde4e2363339face7a3a525f85366e7b9b93e5620b1aa405ba4f221c9ec5faea97fd91cc20097
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\31....................31[1].docFilesize
26KB
MD544c187f1c2c4bc9560b31d63abea250f
SHA190c34b2b7f0326f35a49ec41416198ea1049d1ba
SHA2562a80e7804960d16a1b89bd8e46ba60cc697a396926edba4d3ca0ea0653b90fdd
SHA512b6466e14c2bf51ec506559caa268b71697b5962d13ff004da61d0790f9921b37c57d59469f74e83409f43e406ae15d160abade399dd8631556f6540175e56ab3
-
C:\Users\Admin\AppData\Local\Temp\tmp926.tmpFilesize
1KB
MD56258663c3589c393ccd5151e398e6783
SHA1e280badc2e06646731593154d74b519a2ed8661c
SHA256cd2ad6ac1bc5b7674d4fec292deebe99425e2fc07cf64371734fa12ee19da5cd
SHA51263bce860b5cbe25706fbe406c427ec2e5bc33a2cf4c40f03d76549bbdb3abe56b555073e4cee8f4806a34342aa1b7011b51d24f4d8a1a7ddfc00e73f6f24b8ce
-
C:\Users\Admin\AppData\Local\Temp\{B151C904-06DA-4A7A-B9F8-D9802CCF7811}Filesize
128KB
MD5dcfb1637112faeca902e0b53531bb525
SHA126757754c0c9252f040fe616fa75dcdd1a1b88e9
SHA256772d8c674b4991d64126bfeb4fcb7ba906fb0b7358a265ce02c79576c45ad430
SHA512f1a73c9dd4eef62de70a7e1f07a459a32f6d550bd74f7dcb48b20550a40582755a9dad07d0901051fa01c0873792741432b933ee0b5ce79c1a5d0f307c989707
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
88B
MD5775864cb33878d804505fafb25b453de
SHA1e7a85fad7533946ebd29027522df995db100cb39
SHA256ac347d95a86676e0642b6f7a76e46bf743d90018c812e0b6b949cbdae24b2f6d
SHA51246ca8c218bba53dfdabd051b14e02231d16ba2e14e42c071fd74d3eabb729f1baf155454441b934f2492cbdd30756c96f2ed650d1ee314c905f147de6798ef4f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5d9b904bf84dcb28f3962c02128dd0afb
SHA114f045ce5594c402079d57d7cc0e13e2565362e4
SHA2561112b1ae6098418691f04d157cd29e186fc4490db1fda8f03bc4eb57008687f8
SHA512f92b9f9831b7d1b3bfcdc19f1bcfbbc87ab0531cedeb0bac648290acf67446561a9c82da6ea5a0739258af2dd2e8c9534eafc92e0968ac1648be03184d7d44e1
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
memory/616-154-0x0000000000610000-0x000000000061C000-memory.dmpFilesize
48KB
-
memory/616-153-0x00000000047A0000-0x00000000047E0000-memory.dmpFilesize
256KB
-
memory/616-145-0x0000000000020000-0x00000000000EC000-memory.dmpFilesize
816KB
-
memory/616-155-0x0000000005540000-0x00000000055EA000-memory.dmpFilesize
680KB
-
memory/616-152-0x00000000005D0000-0x00000000005F0000-memory.dmpFilesize
128KB
-
memory/616-163-0x0000000005330000-0x0000000005362000-memory.dmpFilesize
200KB
-
memory/616-147-0x00000000047A0000-0x00000000047E0000-memory.dmpFilesize
256KB
-
memory/624-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-174-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/624-166-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-172-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/624-196-0x0000000004920000-0x0000000004960000-memory.dmpFilesize
256KB
-
memory/624-176-0x0000000004920000-0x0000000004960000-memory.dmpFilesize
256KB
-
memory/932-177-0x0000000002260000-0x00000000022A0000-memory.dmpFilesize
256KB
-
memory/932-175-0x0000000002260000-0x00000000022A0000-memory.dmpFilesize
256KB
-
memory/1236-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1236-223-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB