Analysis
-
max time kernel
102s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-03-2023 09:33
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Swift Copy.docx
Resource
win10v2004-20230221-en
General
-
Target
Swift Copy.docx
-
Size
10KB
-
MD5
7dfae8d21b887ed5d32e2ff010034bc3
-
SHA1
93ffcfdf05e9b957aa7d1f36a213592383faf395
-
SHA256
1723dec74416c2918e74abaa994d03af972fcb40ae8c6c0579fe29be92836b8e
-
SHA512
c0d3bbc9feaf43a0a2c4d23ca31aea7ab086bfed46664738c8e2d16cb5efeddcdf71a45c5be233dbb65463499267e1cc79b3ee32ea615ef8999e0d9ff964819d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3Ce:SPXU/slT+LOzHkZC9x
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.huiijingco.com - Port:
587 - Username:
m@huiijingco.com - Password:
lNLUrZT2 - Email To:
m@huiijingco.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1348 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://392095676/50.........................50........................doc WINWORD.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 976 vbc.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1348 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 10 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 976 set thread context of 1176 976 vbc.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1308 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepowershell.exepid process 976 vbc.exe 976 vbc.exe 1520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeRegSvcs.exepowershell.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 976 vbc.exe Token: SeDebugPrivilege 1176 RegSvcs.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeShutdownPrivilege 1308 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1308 WINWORD.EXE 1308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEvbc.exedescription pid process target process PID 1348 wrote to memory of 976 1348 EQNEDT32.EXE vbc.exe PID 1348 wrote to memory of 976 1348 EQNEDT32.EXE vbc.exe PID 1348 wrote to memory of 976 1348 EQNEDT32.EXE vbc.exe PID 1348 wrote to memory of 976 1348 EQNEDT32.EXE vbc.exe PID 1308 wrote to memory of 968 1308 WINWORD.EXE splwow64.exe PID 1308 wrote to memory of 968 1308 WINWORD.EXE splwow64.exe PID 1308 wrote to memory of 968 1308 WINWORD.EXE splwow64.exe PID 1308 wrote to memory of 968 1308 WINWORD.EXE splwow64.exe PID 976 wrote to memory of 1520 976 vbc.exe powershell.exe PID 976 wrote to memory of 1520 976 vbc.exe powershell.exe PID 976 wrote to memory of 1520 976 vbc.exe powershell.exe PID 976 wrote to memory of 1520 976 vbc.exe powershell.exe PID 976 wrote to memory of 1304 976 vbc.exe schtasks.exe PID 976 wrote to memory of 1304 976 vbc.exe schtasks.exe PID 976 wrote to memory of 1304 976 vbc.exe schtasks.exe PID 976 wrote to memory of 1304 976 vbc.exe schtasks.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe PID 976 wrote to memory of 1176 976 vbc.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift Copy.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OiWkkm.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OiWkkm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8151.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{02A60CE2-E616-410E-943E-12680C7F1395}.FSDFilesize
128KB
MD5fb02f828d64dc65396709805fe7d163a
SHA113864fc26dccf8b5dc067eea5af25b77fc1c0cf3
SHA256c83f17ec6f07b26622d98bea4d8a5116188b4107b994700da722c560691c0077
SHA512ebd7d6c8a44f244ae410aebcdf672e1f99745b8c85912b7a49ea9dadbf03fb3cd2f1e82c411ca1a806d3d00f2807d3315bb7e7457bc04c9fed877f7776b003e0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5045e3d2ac32d484b7bb0d6cf12d61d38
SHA1c532e8216dc9d610fba5de54db1b6486c4226b7f
SHA256e8bb0c16d424203bbf3e8e9f5cbb001578d498b451578f89e6017811db441c98
SHA51246f67b32699d23d662d7c4bcd000a82575defc89426ee556bcdd254b3284324f0da1f3cef7facadad53f08bbdb9030d2a1bc500e6c0b49e16e44d2e5141cc0dd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B9D26936-4916-4AD2-BD2F-C4C436E86DA2}.FSDFilesize
128KB
MD5e2b8ddaf949fdd2187757ade46bfbe64
SHA1f16fdc6ac6458d53f36fc077d2c411e2dcae2093
SHA25697a9aedbd4748c9e0277083ef942bf840535df73cc1f597d0f8c9b6735edbb5a
SHA512f9657d28a079ba8237628f34f5a79e4babb2f21eea30864f8d7d8416a8f1c9c97e3cce08a3578be9dfcca22c56d3a5c1e10de6d192993b09f3ce7c473c53704a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\50.........................50[1].docFilesize
12KB
MD57b4d587f0d734bdf9e506c89d95f1dd4
SHA1a872ab64815977ca7521988c16a12f8e37df40e1
SHA256f02de4746e5703d59c0eacf30735113567b4b4824516181693fd9b00e7623a5d
SHA51214617c754d54257ad551a16aaed0e8f2fa1e9274bd03315bad65450a7dcf8587689d1eeff93445cb586be6a95dc9651b44436040ebab5855c8ba459d26de8219
-
C:\Users\Admin\AppData\Local\Temp\tmp8151.tmpFilesize
1KB
MD52bef137c0f30ab7f54dcd8beaa7adb73
SHA13f307b414269830c910dfd0993ebd126126a42fa
SHA25698641129029c8fbd74bf0b9d0b84121ea50d721aa000346ffd8cbc4a02e1c1f3
SHA5124d93fa4bfabb0130630adecde0ff919fc6e7170a3d6b2291880110b8dd5db21d694c4a6cf9108c81bec64633d8e4350fac80d10134b3186e2717b387e814adb2
-
C:\Users\Admin\AppData\Local\Temp\{49700119-CBA8-4B2F-9B5E-F8DDAB419DED}Filesize
128KB
MD52210f6343474ecc50adddb5ef2aa8b44
SHA1f45f341cadf342ec9233193ac5d8353c99d79d5e
SHA2568c9fa78334a8901b03bda8e27a151ac07f144cd9187d971856bd98d1dd779c35
SHA5125a027266590363e285003cf0ccaf6da7cb14cdd335fb5885021fd4b5071151bb2b7a67ed802edc0fbb46ef410b76e2f732dc1d8307fe32edfc4d504b2089ddf5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
99B
MD5fb55790c5fb337a71b3bf2f374485b7b
SHA1a3f37fefd2ed74d48be69e1fd48a5627fb1b0752
SHA256e7b78ea51c911f8c9c9f2d2142b75f44181377fb2591a8296e405ab2134d363b
SHA512a2fab70522be6475935aaea60b5517d181e302b54d4de9a224bb82bbc50333fd8f3539a771b7bf4ca0821219240070437da04104ef859faa3cb9df7748856c45
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5f6fc57ac7c37ccdb323996b558cd1839
SHA13867accce0b40b6a5c10b76670f98b399748ba93
SHA256a448151b0762724957a9466dd50e27a525d1473ff36576901911988dcd55472a
SHA5123d8e1c93a8b87b059f5e0ce71a2cca4a62d58467527edf82effe32f477abec12711be157f6ba653dd860f1545d05d464d6505179d0060b55436cce1d7981a643
-
C:\Users\Public\vbc.exeFilesize
796KB
MD5b7fe0283cdd93788a35df6f5b541dee5
SHA120e62c66cb2c19de2d5dd69a666e7220d123b038
SHA2567bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc
SHA5125c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db
-
C:\Users\Public\vbc.exeFilesize
796KB
MD5b7fe0283cdd93788a35df6f5b541dee5
SHA120e62c66cb2c19de2d5dd69a666e7220d123b038
SHA2567bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc
SHA5125c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db
-
C:\Users\Public\vbc.exeFilesize
796KB
MD5b7fe0283cdd93788a35df6f5b541dee5
SHA120e62c66cb2c19de2d5dd69a666e7220d123b038
SHA2567bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc
SHA5125c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db
-
\Users\Public\vbc.exeFilesize
796KB
MD5b7fe0283cdd93788a35df6f5b541dee5
SHA120e62c66cb2c19de2d5dd69a666e7220d123b038
SHA2567bb024a9f018978f826a9e3f9367f834427df51b1cda41ed11fd61701ec5d4dc
SHA5125c6cf0c179733c08d5e1f3817ce2ca9b6961a0811c9ace869a19b77b3fcef8b31d5088ac722611b0a344f642cb24421a871c5ced162e249f3b63f30f67f8f7db
-
memory/976-152-0x0000000000520000-0x000000000052C000-memory.dmpFilesize
48KB
-
memory/976-149-0x0000000005AC0000-0x0000000005B90000-memory.dmpFilesize
832KB
-
memory/976-150-0x0000000004B90000-0x0000000004BD0000-memory.dmpFilesize
256KB
-
memory/976-151-0x0000000000500000-0x0000000000514000-memory.dmpFilesize
80KB
-
memory/976-142-0x0000000001220000-0x00000000012EE000-memory.dmpFilesize
824KB
-
memory/976-153-0x0000000007D80000-0x0000000007E2C000-memory.dmpFilesize
688KB
-
memory/976-144-0x0000000004B90000-0x0000000004BD0000-memory.dmpFilesize
256KB
-
memory/976-161-0x0000000001130000-0x0000000001162000-memory.dmpFilesize
200KB
-
memory/1176-165-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-163-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-164-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-162-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1176-167-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-169-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-171-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1176-174-0x00000000006A0000-0x00000000006E0000-memory.dmpFilesize
256KB
-
memory/1308-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1308-218-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1520-173-0x0000000002680000-0x00000000026C0000-memory.dmpFilesize
256KB
-
memory/1520-172-0x0000000002680000-0x00000000026C0000-memory.dmpFilesize
256KB