agenttesla | 1723dec74416c2918e74abaa994d03af972fcb40ae8c6c0579fe29be92836b8e

Analysis

max time kernel
102s
max time network
104s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-03-2023 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Copy.docx
Size

10KB
MD5

7dfae8d21b887ed5d32e2ff010034bc3
SHA1

93ffcfdf05e9b957aa7d1f36a213592383faf395
SHA256

1723dec74416c2918e74abaa994d03af972fcb40ae8c6c0579fe29be92836b8e
SHA512

c0d3bbc9feaf43a0a2c4d23ca31aea7ab086bfed46664738c8e2d16cb5efeddcdf71a45c5be233dbb65463499267e1cc79b3ee32ea615ef8999e0d9ff964819d
SSDEEP

192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3Ce:SPXU/slT+LOzHkZC9x

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.huiijingco.com
Port:
587
Username:
m@huiijingco.com
Password:
lNLUrZT2
Email To:
m@huiijingco.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1348 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1348	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://392095676/50.........................50........................doc	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

976 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1348 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
976	vbc.exe

pid	process
1348	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org

flow	ioc
9	api.ipify.org
10	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 976 set thread context of 1176 976 vbc.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1304 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1348 EQNEDT32.EXE

description	pid	process	target process
PID 976 set thread context of 1176	976	vbc.exe	RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1304	schtasks.exe

pid	process
1348	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1308 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exepowershell.exe

pid process

976 vbc.exe
976 vbc.exe
1520 powershell.exe

pid	process
1308	WINWORD.EXE

pid	process
976	vbc.exe
976	vbc.exe
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exeRegSvcs.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	976	vbc.exe
Token: SeDebugPrivilege	1176	RegSvcs.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeShutdownPrivilege	1308	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1308 WINWORD.EXE
1308 WINWORD.EXE

pid	process
1308	WINWORD.EXE
1308	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1348 wrote to memory of 976	1348	EQNEDT32.EXE	vbc.exe
PID 1348 wrote to memory of 976	1348	EQNEDT32.EXE	vbc.exe
PID 1348 wrote to memory of 976	1348	EQNEDT32.EXE	vbc.exe
PID 1348 wrote to memory of 976	1348	EQNEDT32.EXE	vbc.exe
PID 1308 wrote to memory of 968	1308	WINWORD.EXE	splwow64.exe
PID 1308 wrote to memory of 968	1308	WINWORD.EXE	splwow64.exe
PID 1308 wrote to memory of 968	1308	WINWORD.EXE	splwow64.exe
PID 1308 wrote to memory of 968	1308	WINWORD.EXE	splwow64.exe
PID 976 wrote to memory of 1520	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 1520	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 1520	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 1520	976	vbc.exe	powershell.exe
PID 976 wrote to memory of 1304	976	vbc.exe	schtasks.exe
PID 976 wrote to memory of 1304	976	vbc.exe	schtasks.exe
PID 976 wrote to memory of 1304	976	vbc.exe	schtasks.exe
PID 976 wrote to memory of 1304	976	vbc.exe	schtasks.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe
PID 976 wrote to memory of 1176	976	vbc.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift Copy.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:968

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OiWkkm.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OiWkkm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8151.tmp"
3⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{02A60CE2-E616-410E-943E-12680C7F1395}.FSD
Filesize
128KB

MD5
fb02f828d64dc65396709805fe7d163a

SHA1
13864fc26dccf8b5dc067eea5af25b77fc1c0cf3

SHA256
c83f17ec6f07b26622d98bea4d8a5116188b4107b994700da722c560691c0077

SHA512
ebd7d6c8a44f244ae410aebcdf672e1f99745b8c85912b7a49ea9dadbf03fb3cd2f1e82c411ca1a806d3d00f2807d3315bb7e7457bc04c9fed877f7776b003e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
045e3d2ac32d484b7bb0d6cf12d61d38

SHA1
c532e8216dc9d610fba5de54db1b6486c4226b7f

SHA256
e8bb0c16d424203bbf3e8e9f5cbb001578d498b451578f89e6017811db441c98

SHA512
46f67b32699d23d662d7c4bcd000a82575defc89426ee556bcdd254b3284324f0da1f3cef7facadad53f08bbdb9030d2a1bc500e6c0b49e16e44d2e5141cc0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B9D26936-4916-4AD2-BD2F-C4C436E86DA2}.FSD
Filesize
128KB

MD5
e2b8ddaf949fdd2187757ade46bfbe64

SHA1
f16fdc6ac6458d53f36fc077d2c411e2dcae2093

SHA256
97a9aedbd4748c9e0277083ef942bf840535df73cc1f597d0f8c9b6735edbb5a

SHA512
f9657d28a079ba8237628f34f5a79e4babb2f21eea30864f8d7d8416a8f1c9c97e3cce08a3578be9dfcca22c56d3a5c1e10de6d192993b09f3ce7c473c53704a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\50.........................50[1].doc
Filesize
12KB

MD5
7b4d587f0d734bdf9e506c89d95f1dd4

SHA1
a872ab64815977ca7521988c16a12f8e37df40e1

SHA256
f02de4746e5703d59c0eacf30735113567b4b4824516181693fd9b00e7623a5d

SHA512
14617c754d54257ad551a16aaed0e8f2fa1e9274bd03315bad65450a7dcf8587689d1eeff93445cb586be6a95dc9651b44436040ebab5855c8ba459d26de8219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8151.tmp
Filesize
1KB

MD5
2bef137c0f30ab7f54dcd8beaa7adb73

SHA1
3f307b414269830c910dfd0993ebd126126a42fa

SHA256
98641129029c8fbd74bf0b9d0b84121ea50d721aa000346ffd8cbc4a02e1c1f3

SHA512
4d93fa4bfabb0130630adecde0ff919fc6e7170a3d6b2291880110b8dd5db21d694c4a6cf9108c81bec64633d8e4350fac80d10134b3186e2717b387e814adb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{49700119-CBA8-4B2F-9B5E-F8DDAB419DED}
Filesize
128KB

MD5
2210f6343474ecc50adddb5ef2aa8b44

SHA1
f45f341cadf342ec9233193ac5d8353c99d79d5e

SHA256
8c9fa78334a8901b03bda8e27a151ac07f144cd9187d971856bd98d1dd779c35

SHA512
5a027266590363e285003cf0ccaf6da7cb14cdd335fb5885021fd4b5071151bb2b7a67ed802edc0fbb46ef410b76e2f732dc1d8307fe32edfc4d504b2089ddf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
99B

MD5
fb55790c5fb337a71b3bf2f374485b7b

SHA1
a3f37fefd2ed74d48be69e1fd48a5627fb1b0752

SHA256
e7b78ea51c911f8c9c9f2d2142b75f44181377fb2591a8296e405ab2134d363b

SHA512
a2fab70522be6475935aaea60b5517d181e302b54d4de9a224bb82bbc50333fd8f3539a771b7bf4ca0821219240070437da04104ef859faa3cb9df7748856c45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
f6fc57ac7c37ccdb323996b558cd1839

SHA1
3867accce0b40b6a5c10b76670f98b399748ba93

SHA256
a448151b0762724957a9466dd50e27a525d1473ff36576901911988dcd55472a

SHA512
3d8e1c93a8b87b059f5e0ce71a2cca4a62d58467527edf82effe32f477abec12711be157f6ba653dd860f1545d05d464d6505179d0060b55436cce1d7981a643

Download Submit
C:\Users\Public\vbc.exe
Filesize
796KB

MD5
b7fe0283cdd93788a35df6f5b541dee5

SHA1
20e62c66cb2c19de2d5dd69a666e7220d123b038

SHA256
7bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc

SHA512
5c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db

Download Submit
C:\Users\Public\vbc.exe
Filesize
796KB

MD5
b7fe0283cdd93788a35df6f5b541dee5

SHA1
20e62c66cb2c19de2d5dd69a666e7220d123b038

SHA256
7bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc

SHA512
5c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db

Download Submit
C:\Users\Public\vbc.exe
Filesize
796KB

MD5
b7fe0283cdd93788a35df6f5b541dee5

SHA1
20e62c66cb2c19de2d5dd69a666e7220d123b038

SHA256
7bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc

SHA512
5c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db

Download Submit
\Users\Public\vbc.exe
Filesize
796KB

MD5
b7fe0283cdd93788a35df6f5b541dee5

SHA1
20e62c66cb2c19de2d5dd69a666e7220d123b038

SHA256
7bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc

SHA512
5c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db

Download Submit
memory/976-152-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/976-149-0x0000000005AC0000-0x0000000005B90000-memory.dmp

Filesize
832KB

Download
memory/976-150-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/976-151-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/976-142-0x0000000001220000-0x00000000012EE000-memory.dmp

Filesize
824KB

Download
memory/976-153-0x0000000007D80000-0x0000000007E2C000-memory.dmp

Filesize
688KB

Download
memory/976-144-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/976-161-0x0000000001130000-0x0000000001162000-memory.dmp

Filesize
200KB

Download
memory/1176-165-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1176-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-174-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/1308-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1308-218-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1520-173-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1520-172-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download