agenttesla | 0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9

Analysis

max time kernel
149s
max time network
128s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 274791085.docx
Size

10KB
MD5

194e686634e2515c423cb0cd5f9c981a
SHA1

b792d00fecc27915c2a28490be4ff2e8228583e1
SHA256

0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9
SHA512

99067893db72452ff46b2fb195497427923dee9c020a6137ed178c75c0a3a98bb06e25b2a8bf509b539722dc46302a8b9590a89390225410290175e4fa5f7ed8
SSDEEP

192:ScIMmtPGT7G/bIwXOVOku5SEzBC4vNq6sM63qR:SPXuT+xXOVOZhlqH+

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 2024 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	2024	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://1806682825/e/##############################.doc	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.execoabkgfaqv.execoabkgfaqv.exe

pid process

1520 vbc.exe
548 coabkgfaqv.exe
1016 coabkgfaqv.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.execoabkgfaqv.exe

pid process

2024 EQNEDT32.EXE
1520 vbc.exe
548 coabkgfaqv.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1520	vbc.exe
548	coabkgfaqv.exe
1016	coabkgfaqv.exe

pid	process
2024	EQNEDT32.EXE
1520	vbc.exe
548	coabkgfaqv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

coabkgfaqv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

coabkgfaqv.execoabkgfaqv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\yueajsnwgclhqa = "C:\\Users\\Admin\\AppData\\Roaming\\afoj\\scxhqmvrbkgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coabkgfaqv.exe\" C:\\Users\\Admin\\AppData\\Loc"	coabkgfaqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	coabkgfaqv.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

coabkgfaqv.exe

description pid process target process

PID 548 set thread context of 1016 548 coabkgfaqv.exe coabkgfaqv.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2024 EQNEDT32.EXE

flow	ioc
8	api.ipify.org
9	api.ipify.org

description	pid	process	target process
PID 548 set thread context of 1016	548	coabkgfaqv.exe	coabkgfaqv.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2024	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

948 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

coabkgfaqv.exe

pid process

548 coabkgfaqv.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

coabkgfaqv.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1016 coabkgfaqv.exe
Token: SeShutdownPrivilege 948 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

948 WINWORD.EXE
948 WINWORD.EXE

pid	process
948	WINWORD.EXE

pid	process
548	coabkgfaqv.exe

description	pid	process
Token: SeDebugPrivilege	1016	coabkgfaqv.exe
Token: SeShutdownPrivilege	948	WINWORD.EXE

pid	process
948	WINWORD.EXE
948	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exeWINWORD.EXEcoabkgfaqv.exe

description	pid	process	target process
PID 2024 wrote to memory of 1520	2024	EQNEDT32.EXE	vbc.exe
PID 2024 wrote to memory of 1520	2024	EQNEDT32.EXE	vbc.exe
PID 2024 wrote to memory of 1520	2024	EQNEDT32.EXE	vbc.exe
PID 2024 wrote to memory of 1520	2024	EQNEDT32.EXE	vbc.exe
PID 1520 wrote to memory of 548	1520	vbc.exe	coabkgfaqv.exe
PID 1520 wrote to memory of 548	1520	vbc.exe	coabkgfaqv.exe
PID 1520 wrote to memory of 548	1520	vbc.exe	coabkgfaqv.exe
PID 1520 wrote to memory of 548	1520	vbc.exe	coabkgfaqv.exe
PID 948 wrote to memory of 772	948	WINWORD.EXE	splwow64.exe
PID 948 wrote to memory of 772	948	WINWORD.EXE	splwow64.exe
PID 948 wrote to memory of 772	948	WINWORD.EXE	splwow64.exe
PID 948 wrote to memory of 772	948	WINWORD.EXE	splwow64.exe
PID 548 wrote to memory of 1016	548	coabkgfaqv.exe	coabkgfaqv.exe
PID 548 wrote to memory of 1016	548	coabkgfaqv.exe	coabkgfaqv.exe
PID 548 wrote to memory of 1016	548	coabkgfaqv.exe	coabkgfaqv.exe
PID 548 wrote to memory of 1016	548	coabkgfaqv.exe	coabkgfaqv.exe
PID 548 wrote to memory of 1016	548	coabkgfaqv.exe	coabkgfaqv.exe

outlook_office_path 1 IoCs

Processes:

coabkgfaqv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe

outlook_win_path 1 IoCs

Processes:

coabkgfaqv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 274791085.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:772

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe" C:\Users\Admin\AppData\Local\Temp\dycbhq.amb
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B466500B-4741-4DBA-A6A1-7CBE80E99252}.FSD
Filesize
128KB

MD5
a408fcdb0c1ff81ed3b305f327209a53

SHA1
f3a229a4b27ed74e94f7d2f501c4f89064e46e58

SHA256
feb63f03770bdb0ac43e96b122311d5fbc28ce43f827133bb288f3fc360b2ba5

SHA512
f9beaf8eda4bfb42528d770fbbce3f4bb6f6ca5e5fca12437ceb294f30aa2716306d249c2b4bb9ccee96fa84918b1dc076b9a00fc44852980027d6c1b2f75ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B1B404A7-AD1C-46BF-8296-B1E101CF0673}.FSD
Filesize
128KB

MD5
4a142c2e9d5e32412d15d78a4e5f6a2f

SHA1
0eafa3f080ad5d7e41ddefdef8d0344c3723ee26

SHA256
b9d08a134b8e4da389d2aaff142c8932be1d87cd83fd5e96db127674e92a2829

SHA512
1a7f3b476ab98a65c74a3afa0e577e85f21afec7e5d080df76c8c7e386a394a412b428953ff2173dbca41395988f24165a24f8ff64522e30bc0e60381da10d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\##############################[1].doc
Filesize
28KB

MD5
533f738ac129a1b829a11c860fa4908e

SHA1
8e77016f1fbcde6919c134315b4c056e62ca989c

SHA256
e59bcb9e5e2c71c4cb90b0b591d3588215a2aeeb12d1aed39fcf0552ed1574b5

SHA512
6294e673916f94a28f1be4586fdc9f0876c3696851649999ccefa3d47dd84a70aa0206f5479901adbdde16b32b71caffc6f1e5518003e7461aa670ddcfdd69ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\avnmxsbwm.v
Filesize
264KB

MD5
2e10d56d6bb423e3299caf3ec262b56a

SHA1
cae94328f7ae06cfe325e75838d6929dd465c33c

SHA256
eea89eb51875c0e96a26975ae1948d531c93a1bee21e9a3ecbc1e785cf09fb8c

SHA512
83cfdc91c9d6fb03c7d6101d13092d208f918f62383ebdcf81548f5288c35c9dbe1038ebf16420200d7c1f7878062a40b57a10256fdce66d89b659f7018e54cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
C:\Users\Admin\AppData\Local\Temp\dycbhq.amb
Filesize
8KB

MD5
af50365f753838b41fb0cab5d05de242

SHA1
a2681388f0f5cdadf636bc829063feaa61cc802e

SHA256
358804a14ac8580fca713f02f814f79a2f7e14e4a304452aa4f6cb5ab0f4fdad

SHA512
a6bb9f30579e879512c8617b64e124db7feb74d0346df5eca791317382cd27f044a1b24c3eff09aca61232741751cda1428513dcf882690c7e0e6604d52583bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{361F7787-8786-4CA6-ADC2-281D7FAD2362}
Filesize
128KB

MD5
c8924510e87b11430e4349f0bfb8d217

SHA1
8448c10fdddabd5089681071cc2cd79e87a41921

SHA256
b96f0f8d72fe7e14bec91a185cc0a34556bf0faf7c0bf8ec87af7c9a31be4660

SHA512
cecfac4315e58bece607391c4889a5eb7d3699175e70c9cb2158842ab0e8b8a87450e19d0ea0cc7cd2b9b077c30fd5873d28b1d7c8b8ee0c55145654bd3b6fda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
b8ee29ac33855d45796140b0b131b7b7

SHA1
eedd9a588125c1dd512056f6ff57a842919ffe2d

SHA256
1fb3988a2ab01c6f2101969cac8f1429cbd0c2237e0aea693b67cf9aed198bb3

SHA512
0e8d0dd3e3e68674e503b62bf1cc307e4d15826abc2fb2ad4779c7db96d50e7dabfcfe49e5d5bcfa8f3f30195d876fef68c3baaa35796ae1a13ad5ccf13b659d

Download Submit
C:\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
C:\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
C:\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
memory/548-150-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/948-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/948-219-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1016-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-160-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/1016-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1016-162-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download