Analysis
-
max time kernel
102s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 09:19
Static task
static1
Behavioral task
behavioral1
Sample
SOA MARCH.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA MARCH.docx
Resource
win10v2004-20230220-en
General
-
Target
SOA MARCH.docx
-
Size
10KB
-
MD5
5fbdc2fd7b9fcf00d75d57db95a45780
-
SHA1
b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4
-
SHA256
973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3
-
SHA512
e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1312 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221484439/31....................31.................doc WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1564 vbc.exe 584 vbc.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1312 EQNEDT32.EXE 1312 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\eubJfun = "C:\\Users\\Admin\\AppData\\Roaming\\eubJfun\\eubJfun.exe" vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1564 set thread context of 584 1564 vbc.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1692 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepowershell.exepid process 1564 vbc.exe 1564 vbc.exe 1524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exevbc.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1564 vbc.exe Token: SeDebugPrivilege 584 vbc.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeShutdownPrivilege 1692 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1692 WINWORD.EXE 1692 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1312 wrote to memory of 1564 1312 EQNEDT32.EXE vbc.exe PID 1312 wrote to memory of 1564 1312 EQNEDT32.EXE vbc.exe PID 1312 wrote to memory of 1564 1312 EQNEDT32.EXE vbc.exe PID 1312 wrote to memory of 1564 1312 EQNEDT32.EXE vbc.exe PID 1692 wrote to memory of 1356 1692 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1356 1692 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1356 1692 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1356 1692 WINWORD.EXE splwow64.exe PID 1564 wrote to memory of 1524 1564 vbc.exe powershell.exe PID 1564 wrote to memory of 1524 1564 vbc.exe powershell.exe PID 1564 wrote to memory of 1524 1564 vbc.exe powershell.exe PID 1564 wrote to memory of 1524 1564 vbc.exe powershell.exe PID 1564 wrote to memory of 1656 1564 vbc.exe schtasks.exe PID 1564 wrote to memory of 1656 1564 vbc.exe schtasks.exe PID 1564 wrote to memory of 1656 1564 vbc.exe schtasks.exe PID 1564 wrote to memory of 1656 1564 vbc.exe schtasks.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe PID 1564 wrote to memory of 584 1564 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA MARCH.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RnzqvRAlVCaDTf.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RnzqvRAlVCaDTf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB57.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{418C3101-7B28-4F15-8B82-819CAA62BB6D}.FSDFilesize
128KB
MD5502f7d112d61145e30f69d8eb491afde
SHA17382586b2abb3403a3696ccf873ed776a01870a6
SHA256af197ae22a46f05cf30f4ec863898363b9eb21f705c46ccc341739d5b3285836
SHA512c3ae973fad19dcf4ec0a8fa52b45598b5a0dd4c08830e0959e341fff54a83351e482eb6f08fffe2af54d8ead0c4ca6361df971521a059cd497d4fe4d76f96a31
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5725a6cfd4349201f5682823b530ba046
SHA10433032e7904c4a8c89e4933ad046590dee99659
SHA256b93fe3492320e5ab2b2e153059e78b3d79c42685e06de5b43b03f8609b63674f
SHA5123070f49b48008f059010dea39b7c45c7509f0644631fe2ec00573a75ac36ef8620c4ab9889c8744afaf1f04188ace468bbecd60669485ee38e7528fc5c3b03a0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DC9F296D-9625-4383-839D-3CB8A576C210}.FSDFilesize
128KB
MD52349c47d1c8fbc038efbd5ed029737ab
SHA1c98aee4dcbdb6799eb1207178f6ed8e5ed001737
SHA256a297656b726bf84b5fe11f7876b0674a1dee6d63a8079c56b9554c944ce8c7dc
SHA512b51b5b981c32d4fc4c16291c038d7c3a3d11e5dc063a29a5b56e38af93bb5fbeaa9f7fbdbf54c6fe7c07ce2ddfa478359c003748f5b641d93d38b450f7ee0a1f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\31....................31[1].docFilesize
26KB
MD544c187f1c2c4bc9560b31d63abea250f
SHA190c34b2b7f0326f35a49ec41416198ea1049d1ba
SHA2562a80e7804960d16a1b89bd8e46ba60cc697a396926edba4d3ca0ea0653b90fdd
SHA512b6466e14c2bf51ec506559caa268b71697b5962d13ff004da61d0790f9921b37c57d59469f74e83409f43e406ae15d160abade399dd8631556f6540175e56ab3
-
C:\Users\Admin\AppData\Local\Temp\tmpB57.tmpFilesize
1KB
MD53565915fe44f45699b14a70bbb552a39
SHA16def8bc5601cfd76c11cf0ea8cb84710bbb8e60c
SHA2565e860cdd942535a0114f31cc5acd26c0827492bd915fb3b908c1354f2e98392e
SHA512651ca616147326d10f6b06b2d25c96a1ed425b154112abe0351c71dae7f94b748abe4b7f752c1f7980046ef99786b37392c2aa3792fba7b53961f2f2c1b751e9
-
C:\Users\Admin\AppData\Local\Temp\{CC20ED0C-A053-47BA-813B-4DD39FC237A0}Filesize
128KB
MD54570e7859073f56b2c06608e64f211ef
SHA1a8c52e4874d1979d2f632ed24b018980dff39646
SHA2561b2a483b4a9600b77154c93ca56ab0f8448f2e75c07d967ac2ea1f119aaaa565
SHA512aa048e3d11a0477cf1713e146414b8dd3e4a6e4473e6c3ece0f14a2edcb81d212fb30664e31b5e15b6880c81f8c4c605303702489b8f83088f5fc872e826cfa2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5080d43d364e67460fe0e4c300ed00948
SHA1a10954630c6df4732787695d9179461c8de1cb49
SHA2563ac423ac3fcb6d01a726ff5b02b843567e3a73e240090fa5b8047d9d7a9f0227
SHA512b51d30f54289d51d5739445712d8b7d1f01379869bfe1b5a0eeb2b3bd919dc15bf527035805da424bdb89bfead3036df4784c4f3a2d55bef6fa5363dc20a7801
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
C:\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
\Users\Public\vbc.exeFilesize
790KB
MD5425124613fb9b4daa38460652fd75e38
SHA1542aaee07bd064ec6384685fa9ce9299915fb680
SHA256e867bb597f0b2dc98057b12a90fcef9eca9e78ae1081370f89593f0d210a5acb
SHA512915a482bd97fa5ac8e388b46bb89e011742595a56902c65fbba0edb1b218a1b600a31c7bf3cc2735c02f3f9b6d59995ebf9203e2701ad8cd03c7a2316e1208dd
-
memory/584-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/584-174-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/584-176-0x0000000004E10000-0x0000000004E50000-memory.dmpFilesize
256KB
-
memory/584-172-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/584-168-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/584-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/584-162-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/584-163-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/584-166-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1524-175-0x0000000002290000-0x00000000022D0000-memory.dmpFilesize
256KB
-
memory/1524-177-0x0000000002290000-0x00000000022D0000-memory.dmpFilesize
256KB
-
memory/1564-161-0x0000000004BE0000-0x0000000004C12000-memory.dmpFilesize
200KB
-
memory/1564-146-0x0000000000610000-0x0000000000630000-memory.dmpFilesize
128KB
-
memory/1564-145-0x0000000000E20000-0x0000000000E60000-memory.dmpFilesize
256KB
-
memory/1564-153-0x0000000000E20000-0x0000000000E60000-memory.dmpFilesize
256KB
-
memory/1564-155-0x0000000005550000-0x00000000055FA000-memory.dmpFilesize
680KB
-
memory/1564-154-0x00000000007E0000-0x00000000007EC000-memory.dmpFilesize
48KB
-
memory/1564-144-0x00000000011B0000-0x000000000127C000-memory.dmpFilesize
816KB
-
memory/1692-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1692-222-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB