agenttesla | 973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3

Analysis

max time kernel
103s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA MARCH.docx
Size

10KB
MD5

5fbdc2fd7b9fcf00d75d57db95a45780
SHA1

b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4
SHA256

973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3
SHA512

e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99
SSDEEP

192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1492 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1492	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221484439/31....................31.................doc	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

616 vbc.exe
624 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1492 EQNEDT32.EXE
1492 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
616	vbc.exe
624	vbc.exe

pid	process
1492	EQNEDT32.EXE
1492	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\eubJfun = "C:\\Users\\Admin\\AppData\\Roaming\\eubJfun\\eubJfun.exe"	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org

flow	ioc
9	api.ipify.org
10	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 616 set thread context of 624 616 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2012 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1492 EQNEDT32.EXE

description	pid	process	target process
PID 616 set thread context of 624	616	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2012	schtasks.exe

pid	process
1492	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1236 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exepowershell.exe

pid process

616 vbc.exe
616 vbc.exe
932 powershell.exe

pid	process
1236	WINWORD.EXE

pid	process
616	vbc.exe
616	vbc.exe
932	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	616	vbc.exe
Token: SeDebugPrivilege	624	vbc.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeShutdownPrivilege	1236	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1236 WINWORD.EXE
1236 WINWORD.EXE

pid	process
1236	WINWORD.EXE
1236	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1492 wrote to memory of 616	1492	EQNEDT32.EXE	vbc.exe
PID 1492 wrote to memory of 616	1492	EQNEDT32.EXE	vbc.exe
PID 1492 wrote to memory of 616	1492	EQNEDT32.EXE	vbc.exe
PID 1492 wrote to memory of 616	1492	EQNEDT32.EXE	vbc.exe
PID 1236 wrote to memory of 860	1236	WINWORD.EXE	splwow64.exe
PID 1236 wrote to memory of 860	1236	WINWORD.EXE	splwow64.exe
PID 1236 wrote to memory of 860	1236	WINWORD.EXE	splwow64.exe
PID 1236 wrote to memory of 860	1236	WINWORD.EXE	splwow64.exe
PID 616 wrote to memory of 932	616	vbc.exe	powershell.exe
PID 616 wrote to memory of 932	616	vbc.exe	powershell.exe
PID 616 wrote to memory of 932	616	vbc.exe	powershell.exe
PID 616 wrote to memory of 932	616	vbc.exe	powershell.exe
PID 616 wrote to memory of 2012	616	vbc.exe	schtasks.exe
PID 616 wrote to memory of 2012	616	vbc.exe	schtasks.exe
PID 616 wrote to memory of 2012	616	vbc.exe	schtasks.exe
PID 616 wrote to memory of 2012	616	vbc.exe	schtasks.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe
PID 616 wrote to memory of 624	616	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA MARCH.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:860

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RnzqvRAlVCaDTf.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RnzqvRAlVCaDTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp926.tmp"
3⤵
- Creates scheduled task(s)
PID:2012

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D132509C-2F83-4F03-A9AA-348470AA7DBC}.FSD
Filesize
128KB

MD5
d33ade8ee2cb6891ea86f3d601b74280

SHA1
58e2681617a32ef96242a6f2c11af386c9cd46d2

SHA256
1d2d14b19790110a673e6781ee2f3fbda09e5495f8c03e7c1820133f9f81bb0a

SHA512
95102b56eb99fb258dc2b6d891c9d2bd3922e7e28005256cf480d29c1d3737bcc99815c149552f42c0c3cad94af9712ebee3b5be4dc9c00511a21e39b46079f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
32f1571983e9174dae53369573b90b5e

SHA1
86c4baa3f371cf818b5b19a4d21c1c8046df296e

SHA256
777a01817cb85c3ab11211e7c4ad42f3fcd8fe3a2c7fe194a5763f9df335cfe6

SHA512
eefa983dab340e951708b9fd483782502b0018a4d21701492d3232cbc96b78684f412eadf3f46bba0448ac8dec34093b58429c5a92d08a5b3f15d2feda2a3e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{003728B6-EC34-4C56-859B-9988EFBB9FF7}.FSD
Filesize
128KB

MD5
fe34a13a221d04e247f0d63e77db2c46

SHA1
99498a3f197353c7d34ad070bd439f928b4a0f0c

SHA256
1b8da31ed1fc2cce7b4ba183cfb0b1108010ebf3488af54d3f5747f2211db343

SHA512
c4deecd0cbf0d421aaf35330ba0f431b02364c1b0bb8360ff7dfde4e2363339face7a3a525f85366e7b9b93e5620b1aa405ba4f221c9ec5faea97fd91cc20097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\31....................31[1].doc
Filesize
26KB

MD5
44c187f1c2c4bc9560b31d63abea250f

SHA1
90c34b2b7f0326f35a49ec41416198ea1049d1ba

SHA256
2a80e7804960d16a1b89bd8e46ba60cc697a396926edba4d3ca0ea0653b90fdd

SHA512
b6466e14c2bf51ec506559caa268b71697b5962d13ff004da61d0790f9921b37c57d59469f74e83409f43e406ae15d160abade399dd8631556f6540175e56ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp926.tmp
Filesize
1KB

MD5
6258663c3589c393ccd5151e398e6783

SHA1
e280badc2e06646731593154d74b519a2ed8661c

SHA256
cd2ad6ac1bc5b7674d4fec292deebe99425e2fc07cf64371734fa12ee19da5cd

SHA512
63bce860b5cbe25706fbe406c427ec2e5bc33a2cf4c40f03d76549bbdb3abe56b555073e4cee8f4806a34342aa1b7011b51d24f4d8a1a7ddfc00e73f6f24b8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B151C904-06DA-4A7A-B9F8-D9802CCF7811}
Filesize
128KB

MD5
dcfb1637112faeca902e0b53531bb525

SHA1
26757754c0c9252f040fe616fa75dcdd1a1b88e9

SHA256
772d8c674b4991d64126bfeb4fcb7ba906fb0b7358a265ce02c79576c45ad430

SHA512
f1a73c9dd4eef62de70a7e1f07a459a32f6d550bd74f7dcb48b20550a40582755a9dad07d0901051fa01c0873792741432b933ee0b5ce79c1a5d0f307c989707

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
88B

MD5
775864cb33878d804505fafb25b453de

SHA1
e7a85fad7533946ebd29027522df995db100cb39

SHA256
ac347d95a86676e0642b6f7a76e46bf743d90018c812e0b6b949cbdae24b2f6d

SHA512
46ca8c218bba53dfdabd051b14e02231d16ba2e14e42c071fd74d3eabb729f1baf155454441b934f2492cbdd30756c96f2ed650d1ee314c905f147de6798ef4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
d9b904bf84dcb28f3962c02128dd0afb

SHA1
14f045ce5594c402079d57d7cc0e13e2565362e4

SHA256
1112b1ae6098418691f04d157cd29e186fc4490db1fda8f03bc4eb57008687f8

SHA512
f92b9f9831b7d1b3bfcdc19f1bcfbbc87ab0531cedeb0bac648290acf67446561a9c82da6ea5a0739258af2dd2e8c9534eafc92e0968ac1648be03184d7d44e1

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
memory/616-154-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/616-153-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/616-145-0x0000000000020000-0x00000000000EC000-memory.dmp

Filesize
816KB

Download
memory/616-155-0x0000000005540000-0x00000000055EA000-memory.dmp

Filesize
680KB

Download
memory/616-152-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download
memory/616-163-0x0000000005330000-0x0000000005362000-memory.dmp

Filesize
200KB

Download
memory/616-147-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/624-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/624-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/624-196-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/624-176-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/932-177-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/932-175-0x0000000002260000-0x00000000022A0000-memory.dmp

Filesize
256KB

Download
memory/1236-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1236-223-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download