agenttesla | e2f7f94897d3c542e882840cd25955f9bf9e1b1507955ee144bdf939adcce73e

Analysis

max time kernel
102s
max time network
104s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sales confirmation-a13802KA.docx
Size

10KB
MD5

aa17844cf349edcb703a84874bf9b51f
SHA1

9c894354e8aac4c58f111c7405a3f92d93d3da4f
SHA256

e2f7f94897d3c542e882840cd25955f9bf9e1b1507955ee144bdf939adcce73e
SHA512

a3ac31637f009b6a717999a60dcc2c5ff032db791ef5c808654b728a7746f6353f3976ab44cb5bbc97e99e1ac87f57af8433076c23dc4c595d69768bcf2f9424
SSDEEP

192:ScIMmtPGT7G/bIwXOVOtlrV5SEzBC4vNq6sM63kp:SPXuT+xXOVOTbhlqHI

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.strictfacilityservices.com
Port:
587
Username:
accounts@strictfacilityservices.com
Password:
SFS!@#321
Email To:
zamanic62@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1284 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1284	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://3221468051/r/######################################.doc	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

884 vbc.exe
1944 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1284 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
884	vbc.exe
1944	vbc.exe

pid	process
1284	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 884 set thread context of 1944 884 vbc.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1284 EQNEDT32.EXE

description	pid	process	target process
PID 884 set thread context of 1944	884	vbc.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
820	schtasks.exe

pid	process
1284	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1676 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

vbc.exepowershell.exe

pid process

884 vbc.exe
884 vbc.exe
884 vbc.exe
1480 powershell.exe

pid	process
1676	WINWORD.EXE

pid	process
884	vbc.exe
884	vbc.exe
884	vbc.exe
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exepowershell.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	884	vbc.exe
Token: SeDebugPrivilege	1944	vbc.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeShutdownPrivilege	1676	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1676 WINWORD.EXE
1676 WINWORD.EXE

pid	process
1676	WINWORD.EXE
1676	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1284 wrote to memory of 884	1284	EQNEDT32.EXE	vbc.exe
PID 1284 wrote to memory of 884	1284	EQNEDT32.EXE	vbc.exe
PID 1284 wrote to memory of 884	1284	EQNEDT32.EXE	vbc.exe
PID 1284 wrote to memory of 884	1284	EQNEDT32.EXE	vbc.exe
PID 1676 wrote to memory of 308	1676	WINWORD.EXE	splwow64.exe
PID 1676 wrote to memory of 308	1676	WINWORD.EXE	splwow64.exe
PID 1676 wrote to memory of 308	1676	WINWORD.EXE	splwow64.exe
PID 1676 wrote to memory of 308	1676	WINWORD.EXE	splwow64.exe
PID 884 wrote to memory of 1480	884	vbc.exe	powershell.exe
PID 884 wrote to memory of 1480	884	vbc.exe	powershell.exe
PID 884 wrote to memory of 1480	884	vbc.exe	powershell.exe
PID 884 wrote to memory of 1480	884	vbc.exe	powershell.exe
PID 884 wrote to memory of 820	884	vbc.exe	schtasks.exe
PID 884 wrote to memory of 820	884	vbc.exe	schtasks.exe
PID 884 wrote to memory of 820	884	vbc.exe	schtasks.exe
PID 884 wrote to memory of 820	884	vbc.exe	schtasks.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe
PID 884 wrote to memory of 1944	884	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Sales confirmation-a13802KA.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:308

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JNECrDxSdm.exe"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JNECrDxSdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp207D.tmp"
3⤵
- Creates scheduled task(s)
PID:820

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Filesize
128KB

MD5
f03f8e60df4fb7cea4b0e7cd21de80c5

SHA1
cdbcfc93ba094b5b7c6cebc74b71d4977afd6139

SHA256
98790ad648b905294e96951c8ee4484b2cd15ee6fa929433518ab6488a3dbf4c

SHA512
c6bdcbce2b72dbd77c7aa38e9172f7a7420b2f57057a939dafbf49a3762b147f4278d4a294e332919383aabeaa5da6afae42f399f3b0aa96de2317ca3a9fb1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{599F67BF-866F-4133-8391-0BD8CD8B1C63}.FSD
Filesize
128KB

MD5
bfa00453d71488890668d0ba6877977b

SHA1
b36e12f92a616e0e136a5a303fae65e48cf4dd71

SHA256
eb8e3bfa128793d71db558c35e18c1e31728a3d83c1fa60dbe9e81631f4e2c6a

SHA512
f2cf8dc0967836d10c58701f06097a1899232a903051aa008f725e41e5991b50084173fca5591e8c5106dd129eb69f76ecf6aae7d8d90ffdd3239e06f84075b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
0398ecd503f96025330f36613156eac3

SHA1
8e4ad2a9f7c97e58de9153729257316ce4cd6152

SHA256
51f61014296f844c27d7cf1cc2bd860ba889ec8753aa35af6d30d4f926dd99f9

SHA512
f4493a4f5a27d7945d516333330e22077fce68032aef5d6a3598c127d23647207ee1480ef27fd3c6c9b1f18d7fd746ae2dfd79d7da3f9514b73794f50eefdf41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{0F94E19F-280C-4470-9504-1218E1C37576}.FSD
Filesize
128KB

MD5
b3625ae8aacbebfdf9d172a65fda8283

SHA1
c456deb0a6fd2b8852462342f674c2ab6ca06731

SHA256
8d7a6d603a2f761d865d189dc3414bd7599ae8384523ed364abb696efb19e5ed

SHA512
38645bd887b0699bb35fff13d8844f5cc5f341c26a2b6fed683bb4742965d29bc97270880975e755e4fd3cf2260e70a11ef988628e63db1696e2e0738ba7bc70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\######################################[1].doc
Filesize
22KB

MD5
e585de882debb5a6570a92cd36041dfd

SHA1
6fb8c051c8dcd87c380a60a18d81793a8aed4e10

SHA256
eadde3baffcc9c4bc8416713367eba8c58b38b271c07f35ac68b1b7f3927965a

SHA512
e2eb8afd4c889f6b5c97620629483b02970d8d365bb319acfe36970e7f6c28b80c263a76a3c7444e6c1a6fb24ad089c76261ffba940a647148c53ddaae77e713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp207D.tmp
Filesize
1KB

MD5
2cbc9c74e81e05462b3eafbbba4c1720

SHA1
0cb2ca5a1d2acbd9c3ca35532fa3cd42b8d1cf3d

SHA256
19c7da2a76e023f61fb44c1f654b3a43be59a7ececabb08484ee1a49bd3a69c1

SHA512
277c860d88bd675040ab6dd034d5a525b317f1b65add53a88bffdeba1ed0f27219fb230442195ada9a81ab0297a3b6289fd6b4962ed6312ee1fc458a5ab84005

Download Submit
C:\Users\Admin\AppData\Local\Temp\{438CDF26-6882-4A29-BEFB-A58F9A411042}
Filesize
128KB

MD5
6e5285513a37df1024f12d129786a042

SHA1
f59c4058f7e6bb42edc592e0fa7bab03c06f9b3f

SHA256
75628ffa06adaee37e9c755c5c0617cd51f3d68c0f04ccc30b62d16e153eaa8f

SHA512
9b8cce65cf330a0fd703a52e2e85b12657a623a77fde2ed93ac245f5b4c5d25f0b542235fa0974bcb5cb05ad93e612b0dab119a4733d068594d5c0fb7b1fd5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
2efb5ba9c6da4e444d865106e9f76ae1

SHA1
923649ecec0078ee53755d9bfc87890c3ed9009b

SHA256
080bdac3a9caec5cc80409d675cc2c827fd46014b391d111f63f370ba792ea1f

SHA512
821ed45686e1c791c8f19a9e6435f7ed395dea644dc74f1b6d4c14229d79132b15ec1e85c815aff58b9c4831116fbc6a06bb8de57fc9ced24a683991579b2444

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
\Users\Public\vbc.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
memory/884-152-0x0000000005620000-0x000000000568A000-memory.dmp

Filesize
424KB

Download
memory/884-142-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/884-151-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/884-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/884-160-0x00000000021F0000-0x0000000002222000-memory.dmp

Filesize
200KB

Download
memory/884-150-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/884-141-0x0000000000D40000-0x0000000000DDA000-memory.dmp

Filesize
616KB

Download
memory/1480-174-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1480-173-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/1676-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1676-202-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1944-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-166-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-169-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-172-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/1944-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1944-175-0x0000000000CE0000-0x0000000000D20000-memory.dmp

Filesize
256KB

Download
memory/1944-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1944-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download