Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-04-2023 10:13
Static task
static1
Behavioral task
behavioral1
Sample
Order 274791085.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order 274791085.docx
Resource
win10v2004-20230220-en
General
-
Target
Order 274791085.docx
-
Size
10KB
-
MD5
194e686634e2515c423cb0cd5f9c981a
-
SHA1
b792d00fecc27915c2a28490be4ff2e8228583e1
-
SHA256
0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9
-
SHA512
99067893db72452ff46b2fb195497427923dee9c020a6137ed178c75c0a3a98bb06e25b2a8bf509b539722dc46302a8b9590a89390225410290175e4fa5f7ed8
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOku5SEzBC4vNq6sM63qR:SPXuT+xXOVOZhlqH+
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2024 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://1806682825/e/##############################.doc WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.execoabkgfaqv.execoabkgfaqv.exepid process 1520 vbc.exe 548 coabkgfaqv.exe 1016 coabkgfaqv.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.execoabkgfaqv.exepid process 2024 EQNEDT32.EXE 1520 vbc.exe 548 coabkgfaqv.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
coabkgfaqv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
coabkgfaqv.execoabkgfaqv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\yueajsnwgclhqa = "C:\\Users\\Admin\\AppData\\Roaming\\afoj\\scxhqmvrbkgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coabkgfaqv.exe\" C:\\Users\\Admin\\AppData\\Loc" coabkgfaqv.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" coabkgfaqv.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
coabkgfaqv.exedescription pid process target process PID 548 set thread context of 1016 548 coabkgfaqv.exe coabkgfaqv.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 948 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
coabkgfaqv.exepid process 548 coabkgfaqv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
coabkgfaqv.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1016 coabkgfaqv.exe Token: SeShutdownPrivilege 948 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 948 WINWORD.EXE 948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEcoabkgfaqv.exedescription pid process target process PID 2024 wrote to memory of 1520 2024 EQNEDT32.EXE vbc.exe PID 2024 wrote to memory of 1520 2024 EQNEDT32.EXE vbc.exe PID 2024 wrote to memory of 1520 2024 EQNEDT32.EXE vbc.exe PID 2024 wrote to memory of 1520 2024 EQNEDT32.EXE vbc.exe PID 1520 wrote to memory of 548 1520 vbc.exe coabkgfaqv.exe PID 1520 wrote to memory of 548 1520 vbc.exe coabkgfaqv.exe PID 1520 wrote to memory of 548 1520 vbc.exe coabkgfaqv.exe PID 1520 wrote to memory of 548 1520 vbc.exe coabkgfaqv.exe PID 948 wrote to memory of 772 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 772 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 772 948 WINWORD.EXE splwow64.exe PID 948 wrote to memory of 772 948 WINWORD.EXE splwow64.exe PID 548 wrote to memory of 1016 548 coabkgfaqv.exe coabkgfaqv.exe PID 548 wrote to memory of 1016 548 coabkgfaqv.exe coabkgfaqv.exe PID 548 wrote to memory of 1016 548 coabkgfaqv.exe coabkgfaqv.exe PID 548 wrote to memory of 1016 548 coabkgfaqv.exe coabkgfaqv.exe PID 548 wrote to memory of 1016 548 coabkgfaqv.exe coabkgfaqv.exe -
outlook_office_path 1 IoCs
Processes:
coabkgfaqv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe -
outlook_win_path 1 IoCs
Processes:
coabkgfaqv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 274791085.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe" C:\Users\Admin\AppData\Local\Temp\dycbhq.amb3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B466500B-4741-4DBA-A6A1-7CBE80E99252}.FSDFilesize
128KB
MD5a408fcdb0c1ff81ed3b305f327209a53
SHA1f3a229a4b27ed74e94f7d2f501c4f89064e46e58
SHA256feb63f03770bdb0ac43e96b122311d5fbc28ce43f827133bb288f3fc360b2ba5
SHA512f9beaf8eda4bfb42528d770fbbce3f4bb6f6ca5e5fca12437ceb294f30aa2716306d249c2b4bb9ccee96fa84918b1dc076b9a00fc44852980027d6c1b2f75ab2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B1B404A7-AD1C-46BF-8296-B1E101CF0673}.FSDFilesize
128KB
MD54a142c2e9d5e32412d15d78a4e5f6a2f
SHA10eafa3f080ad5d7e41ddefdef8d0344c3723ee26
SHA256b9d08a134b8e4da389d2aaff142c8932be1d87cd83fd5e96db127674e92a2829
SHA5121a7f3b476ab98a65c74a3afa0e577e85f21afec7e5d080df76c8c7e386a394a412b428953ff2173dbca41395988f24165a24f8ff64522e30bc0e60381da10d6f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\##############################[1].docFilesize
28KB
MD5533f738ac129a1b829a11c860fa4908e
SHA18e77016f1fbcde6919c134315b4c056e62ca989c
SHA256e59bcb9e5e2c71c4cb90b0b591d3588215a2aeeb12d1aed39fcf0552ed1574b5
SHA5126294e673916f94a28f1be4586fdc9f0876c3696851649999ccefa3d47dd84a70aa0206f5479901adbdde16b32b71caffc6f1e5518003e7461aa670ddcfdd69ea
-
C:\Users\Admin\AppData\Local\Temp\avnmxsbwm.vFilesize
264KB
MD52e10d56d6bb423e3299caf3ec262b56a
SHA1cae94328f7ae06cfe325e75838d6929dd465c33c
SHA256eea89eb51875c0e96a26975ae1948d531c93a1bee21e9a3ecbc1e785cf09fb8c
SHA51283cfdc91c9d6fb03c7d6101d13092d208f918f62383ebdcf81548f5288c35c9dbe1038ebf16420200d7c1f7878062a40b57a10256fdce66d89b659f7018e54cf
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
C:\Users\Admin\AppData\Local\Temp\dycbhq.ambFilesize
8KB
MD5af50365f753838b41fb0cab5d05de242
SHA1a2681388f0f5cdadf636bc829063feaa61cc802e
SHA256358804a14ac8580fca713f02f814f79a2f7e14e4a304452aa4f6cb5ab0f4fdad
SHA512a6bb9f30579e879512c8617b64e124db7feb74d0346df5eca791317382cd27f044a1b24c3eff09aca61232741751cda1428513dcf882690c7e0e6604d52583bf
-
C:\Users\Admin\AppData\Local\Temp\{361F7787-8786-4CA6-ADC2-281D7FAD2362}Filesize
128KB
MD5c8924510e87b11430e4349f0bfb8d217
SHA18448c10fdddabd5089681071cc2cd79e87a41921
SHA256b96f0f8d72fe7e14bec91a185cc0a34556bf0faf7c0bf8ec87af7c9a31be4660
SHA512cecfac4315e58bece607391c4889a5eb7d3699175e70c9cb2158842ab0e8b8a87450e19d0ea0cc7cd2b9b077c30fd5873d28b1d7c8b8ee0c55145654bd3b6fda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5b8ee29ac33855d45796140b0b131b7b7
SHA1eedd9a588125c1dd512056f6ff57a842919ffe2d
SHA2561fb3988a2ab01c6f2101969cac8f1429cbd0c2237e0aea693b67cf9aed198bb3
SHA5120e8d0dd3e3e68674e503b62bf1cc307e4d15826abc2fb2ad4779c7db96d50e7dabfcfe49e5d5bcfa8f3f30195d876fef68c3baaa35796ae1a13ad5ccf13b659d
-
C:\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
C:\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
C:\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
memory/548-150-0x0000000000260000-0x0000000000263000-memory.dmpFilesize
12KB
-
memory/948-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/948-219-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1016-155-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1016-158-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1016-160-0x00000000003D0000-0x0000000000400000-memory.dmpFilesize
192KB
-
memory/1016-161-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1016-162-0x0000000004550000-0x0000000004590000-memory.dmpFilesize
256KB