agenttesla | 973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3

Analysis

max time kernel
102s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA MARCH.docx
Size

10KB
MD5

5fbdc2fd7b9fcf00d75d57db95a45780
SHA1

b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4
SHA256

973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3
SHA512

e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99
SSDEEP

192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1312 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1312	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221484439/31....................31.................doc	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1564 vbc.exe
584 vbc.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1312 EQNEDT32.EXE
1312 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1564	vbc.exe
584	vbc.exe

pid	process
1312	EQNEDT32.EXE
1312	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\eubJfun = "C:\\Users\\Admin\\AppData\\Roaming\\eubJfun\\eubJfun.exe"	vbc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org

flow	ioc
11	api.ipify.org
12	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1564 set thread context of 584 1564 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1656 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1312 EQNEDT32.EXE

description	pid	process	target process
PID 1564 set thread context of 584	1564	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1656	schtasks.exe

pid	process
1312	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1692 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exepowershell.exe

pid process

1564 vbc.exe
1564 vbc.exe
1524 powershell.exe

pid	process
1692	WINWORD.EXE

pid	process
1564	vbc.exe
1564	vbc.exe
1524	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1564	vbc.exe
Token: SeDebugPrivilege	584	vbc.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeShutdownPrivilege	1692	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1692 WINWORD.EXE
1692 WINWORD.EXE

pid	process
1692	WINWORD.EXE
1692	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1312 wrote to memory of 1564	1312	EQNEDT32.EXE	vbc.exe
PID 1312 wrote to memory of 1564	1312	EQNEDT32.EXE	vbc.exe
PID 1312 wrote to memory of 1564	1312	EQNEDT32.EXE	vbc.exe
PID 1312 wrote to memory of 1564	1312	EQNEDT32.EXE	vbc.exe
PID 1692 wrote to memory of 1356	1692	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 1356	1692	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 1356	1692	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 1356	1692	WINWORD.EXE	splwow64.exe
PID 1564 wrote to memory of 1524	1564	vbc.exe	powershell.exe
PID 1564 wrote to memory of 1524	1564	vbc.exe	powershell.exe
PID 1564 wrote to memory of 1524	1564	vbc.exe	powershell.exe
PID 1564 wrote to memory of 1524	1564	vbc.exe	powershell.exe
PID 1564 wrote to memory of 1656	1564	vbc.exe	schtasks.exe
PID 1564 wrote to memory of 1656	1564	vbc.exe	schtasks.exe
PID 1564 wrote to memory of 1656	1564	vbc.exe	schtasks.exe
PID 1564 wrote to memory of 1656	1564	vbc.exe	schtasks.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe
PID 1564 wrote to memory of 584	1564	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA MARCH.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1356

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RnzqvRAlVCaDTf.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RnzqvRAlVCaDTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB57.tmp"
3⤵
- Creates scheduled task(s)
PID:1656

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{418C3101-7B28-4F15-8B82-819CAA62BB6D}.FSD
Filesize
128KB

MD5
502f7d112d61145e30f69d8eb491afde

SHA1
7382586b2abb3403a3696ccf873ed776a01870a6

SHA256
af197ae22a46f05cf30f4ec863898363b9eb21f705c46ccc341739d5b3285836

SHA512
c3ae973fad19dcf4ec0a8fa52b45598b5a0dd4c08830e0959e341fff54a83351e482eb6f08fffe2af54d8ead0c4ca6361df971521a059cd497d4fe4d76f96a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
725a6cfd4349201f5682823b530ba046

SHA1
0433032e7904c4a8c89e4933ad046590dee99659

SHA256
b93fe3492320e5ab2b2e153059e78b3d79c42685e06de5b43b03f8609b63674f

SHA512
3070f49b48008f059010dea39b7c45c7509f0644631fe2ec00573a75ac36ef8620c4ab9889c8744afaf1f04188ace468bbecd60669485ee38e7528fc5c3b03a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DC9F296D-9625-4383-839D-3CB8A576C210}.FSD
Filesize
128KB

MD5
2349c47d1c8fbc038efbd5ed029737ab

SHA1
c98aee4dcbdb6799eb1207178f6ed8e5ed001737

SHA256
a297656b726bf84b5fe11f7876b0674a1dee6d63a8079c56b9554c944ce8c7dc

SHA512
b51b5b981c32d4fc4c16291c038d7c3a3d11e5dc063a29a5b56e38af93bb5fbeaa9f7fbdbf54c6fe7c07ce2ddfa478359c003748f5b641d93d38b450f7ee0a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\31....................31[1].doc
Filesize
26KB

MD5
44c187f1c2c4bc9560b31d63abea250f

SHA1
90c34b2b7f0326f35a49ec41416198ea1049d1ba

SHA256
2a80e7804960d16a1b89bd8e46ba60cc697a396926edba4d3ca0ea0653b90fdd

SHA512
b6466e14c2bf51ec506559caa268b71697b5962d13ff004da61d0790f9921b37c57d59469f74e83409f43e406ae15d160abade399dd8631556f6540175e56ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB57.tmp
Filesize
1KB

MD5
3565915fe44f45699b14a70bbb552a39

SHA1
6def8bc5601cfd76c11cf0ea8cb84710bbb8e60c

SHA256
5e860cdd942535a0114f31cc5acd26c0827492bd915fb3b908c1354f2e98392e

SHA512
651ca616147326d10f6b06b2d25c96a1ed425b154112abe0351c71dae7f94b748abe4b7f752c1f7980046ef99786b37392c2aa3792fba7b53961f2f2c1b751e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CC20ED0C-A053-47BA-813B-4DD39FC237A0}
Filesize
128KB

MD5
4570e7859073f56b2c06608e64f211ef

SHA1
a8c52e4874d1979d2f632ed24b018980dff39646

SHA256
1b2a483b4a9600b77154c93ca56ab0f8448f2e75c07d967ac2ea1f119aaaa565

SHA512
aa048e3d11a0477cf1713e146414b8dd3e4a6e4473e6c3ece0f14a2edcb81d212fb30664e31b5e15b6880c81f8c4c605303702489b8f83088f5fc872e826cfa2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
080d43d364e67460fe0e4c300ed00948

SHA1
a10954630c6df4732787695d9179461c8de1cb49

SHA256
3ac423ac3fcb6d01a726ff5b02b843567e3a73e240090fa5b8047d9d7a9f0227

SHA512
b51d30f54289d51d5739445712d8b7d1f01379869bfe1b5a0eeb2b3bd919dc15bf527035805da424bdb89bfead3036df4784c4f3a2d55bef6fa5363dc20a7801

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
\Users\Public\vbc.exe
Filesize
790KB

MD5
425124613fb9b4daa38460652fd75e38

SHA1
542aaee07bd064ec6384685fa9ce9299915fb680

SHA256
e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb

SHA512
915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd

Download Submit
memory/584-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/584-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/584-176-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/584-172-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/584-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/584-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/584-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/584-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/584-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1524-175-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/1524-177-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/1564-161-0x0000000004BE0000-0x0000000004C12000-memory.dmp

Filesize
200KB

Download
memory/1564-146-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/1564-145-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/1564-153-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/1564-155-0x0000000005550000-0x00000000055FA000-memory.dmp

Filesize
680KB

Download
memory/1564-154-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/1564-144-0x00000000011B0000-0x000000000127C000-memory.dmp

Filesize
816KB

Download
memory/1692-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-222-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download