agenttesla | 0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9

Analysis

max time kernel
145s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 274791085.docx
Size

10KB
MD5

194e686634e2515c423cb0cd5f9c981a
SHA1

b792d00fecc27915c2a28490be4ff2e8228583e1
SHA256

0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9
SHA512

99067893db72452ff46b2fb195497427923dee9c020a6137ed178c75c0a3a98bb06e25b2a8bf509b539722dc46302a8b9590a89390225410290175e4fa5f7ed8
SSDEEP

192:ScIMmtPGT7G/bIwXOVOku5SEzBC4vNq6sM63qR:SPXuT+xXOVOZhlqH+

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 832 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	832	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\Common\Offline\Files\http://1806682825/e/##############################.doc	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.execoabkgfaqv.execoabkgfaqv.exe

pid process

1344 vbc.exe
1628 coabkgfaqv.exe
884 coabkgfaqv.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.execoabkgfaqv.exe

pid process

832 EQNEDT32.EXE
1344 vbc.exe
1628 coabkgfaqv.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1344	vbc.exe
1628	coabkgfaqv.exe
884	coabkgfaqv.exe

pid	process
832	EQNEDT32.EXE
1344	vbc.exe
1628	coabkgfaqv.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

coabkgfaqv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

coabkgfaqv.execoabkgfaqv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\yueajsnwgclhqa = "C:\\Users\\Admin\\AppData\\Roaming\\afoj\\scxhqmvrbkgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coabkgfaqv.exe\" C:\\Users\\Admin\\AppData\\Loc"	coabkgfaqv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	coabkgfaqv.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
8 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

coabkgfaqv.exe

description pid process target process

PID 1628 set thread context of 884 1628 coabkgfaqv.exe coabkgfaqv.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

832 EQNEDT32.EXE

flow	ioc
9	api.ipify.org
8	api.ipify.org

description	pid	process	target process
PID 1628 set thread context of 884	1628	coabkgfaqv.exe	coabkgfaqv.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
832	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2024 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

coabkgfaqv.exe

pid process

1628 coabkgfaqv.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

coabkgfaqv.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 884 coabkgfaqv.exe
Token: SeShutdownPrivilege 2024 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2024 WINWORD.EXE
2024 WINWORD.EXE

pid	process
2024	WINWORD.EXE

pid	process
1628	coabkgfaqv.exe

description	pid	process
Token: SeDebugPrivilege	884	coabkgfaqv.exe
Token: SeShutdownPrivilege	2024	WINWORD.EXE

pid	process
2024	WINWORD.EXE
2024	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exeWINWORD.EXEcoabkgfaqv.exe

description	pid	process	target process
PID 832 wrote to memory of 1344	832	EQNEDT32.EXE	vbc.exe
PID 832 wrote to memory of 1344	832	EQNEDT32.EXE	vbc.exe
PID 832 wrote to memory of 1344	832	EQNEDT32.EXE	vbc.exe
PID 832 wrote to memory of 1344	832	EQNEDT32.EXE	vbc.exe
PID 1344 wrote to memory of 1628	1344	vbc.exe	coabkgfaqv.exe
PID 1344 wrote to memory of 1628	1344	vbc.exe	coabkgfaqv.exe
PID 1344 wrote to memory of 1628	1344	vbc.exe	coabkgfaqv.exe
PID 1344 wrote to memory of 1628	1344	vbc.exe	coabkgfaqv.exe
PID 2024 wrote to memory of 568	2024	WINWORD.EXE	splwow64.exe
PID 2024 wrote to memory of 568	2024	WINWORD.EXE	splwow64.exe
PID 2024 wrote to memory of 568	2024	WINWORD.EXE	splwow64.exe
PID 2024 wrote to memory of 568	2024	WINWORD.EXE	splwow64.exe
PID 1628 wrote to memory of 884	1628	coabkgfaqv.exe	coabkgfaqv.exe
PID 1628 wrote to memory of 884	1628	coabkgfaqv.exe	coabkgfaqv.exe
PID 1628 wrote to memory of 884	1628	coabkgfaqv.exe	coabkgfaqv.exe
PID 1628 wrote to memory of 884	1628	coabkgfaqv.exe	coabkgfaqv.exe
PID 1628 wrote to memory of 884	1628	coabkgfaqv.exe	coabkgfaqv.exe

outlook_office_path 1 IoCs

Processes:

coabkgfaqv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe

outlook_win_path 1 IoCs

Processes:

coabkgfaqv.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	coabkgfaqv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 274791085.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:568

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe" C:\Users\Admin\AppData\Local\Temp\dycbhq.amb
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2BFE025D-C0FD-4792-BCE3-B08387AACA80}.FSD
Filesize
128KB

MD5
2a9ddcca1ed290499ffa8c945cc1fee8

SHA1
f784aaba0d7e96f77ac092576da84f72563ef4e5

SHA256
f18f107da7efe271242b9844932dd882562ec4e42d16a5881eae54c219770019

SHA512
16747564fb56b3f69801bb6799f088959e67c5dbffd486883feb7e7b98d0485dd71387079eaa051cf45bfface56a6fa7e96c95d914d26bc9f7eedc8529f93017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
53dbc1f8464b226d577ca2b1fc956ffd

SHA1
072440a300fcf305fa823598395f3b8a5ea732d6

SHA256
d595ceec19a55187e3d3526ce7a3860b1f28be0886bdf3abf3b52cd8b0f0394e

SHA512
1643e3a6741022a3f14bc9a81315a0d93df0a81fff1170c73d385c72a783947a720b6fd62435e626e457790e03bc57bf0f995677cdb3d61a8b8bab2138fb8e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{391A7DD0-C22F-4C21-84E8-9AB35B03D724}.FSD
Filesize
128KB

MD5
36fb6424f442901d30b701b403d636cf

SHA1
65b69792f457c9fc7386fb0c1fa786e7c6e58d8c

SHA256
d46a451f3d414b7aa4ca1266a7449326c5771921476572195a688e12d49a2fba

SHA512
c820925ca5503f8eb3ef6e557c37931366a2c4124bdb3bfcafd2db156b85cf8603058af0c1eae39ff5a26a5afd78214ff649e7d0770e96533fcb0bf55cd3e84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\##############################[1].doc
Filesize
28KB

MD5
533f738ac129a1b829a11c860fa4908e

SHA1
8e77016f1fbcde6919c134315b4c056e62ca989c

SHA256
e59bcb9e5e2c71c4cb90b0b591d3588215a2aeeb12d1aed39fcf0552ed1574b5

SHA512
6294e673916f94a28f1be4586fdc9f0876c3696851649999ccefa3d47dd84a70aa0206f5479901adbdde16b32b71caffc6f1e5518003e7461aa670ddcfdd69ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\avnmxsbwm.v
Filesize
264KB

MD5
2e10d56d6bb423e3299caf3ec262b56a

SHA1
cae94328f7ae06cfe325e75838d6929dd465c33c

SHA256
eea89eb51875c0e96a26975ae1948d531c93a1bee21e9a3ecbc1e785cf09fb8c

SHA512
83cfdc91c9d6fb03c7d6101d13092d208f918f62383ebdcf81548f5288c35c9dbe1038ebf16420200d7c1f7878062a40b57a10256fdce66d89b659f7018e54cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
C:\Users\Admin\AppData\Local\Temp\dycbhq.amb
Filesize
8KB

MD5
af50365f753838b41fb0cab5d05de242

SHA1
a2681388f0f5cdadf636bc829063feaa61cc802e

SHA256
358804a14ac8580fca713f02f814f79a2f7e14e4a304452aa4f6cb5ab0f4fdad

SHA512
a6bb9f30579e879512c8617b64e124db7feb74d0346df5eca791317382cd27f044a1b24c3eff09aca61232741751cda1428513dcf882690c7e0e6604d52583bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7B91488B-298E-4EAE-81DC-339AD0F0A3C0}
Filesize
128KB

MD5
93784375058176f4c364d899ba56d4f5

SHA1
6c6a516e369680d9d8b4148cee541387715b7d57

SHA256
af2e31445ae9c22a9f3ea46e1587d146ce6c601ebab626de6903e306e98a8b7c

SHA512
a4406256c134e2bcd0b7a9675d82983f8ff1ce571ac83332b4409a3cac9dfe3f356775554782923663a336ad7a2e9581451691e6416490c61b9497503b3ade94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
2d1489d6725a6b9e4751c00f1206798e

SHA1
657820c821904c4598c9d272bdf975008cae7072

SHA256
a7c41099aa4817949a1ff81ac768d96c99b645004e86c1cb5e2891e29779cc3e

SHA512
cf287bcec5a1dc72aac9de0e12a4ee6bcd3a7288033114987c32b8f68e6fe9fddae19e81d5e9321b5e2234aa93d66a558ce1c6402ec83512e825ddd242650c99

Download Submit
C:\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
C:\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
C:\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe
Filesize
323KB

MD5
9dddb1befc9b63097b0348e7a6d20e83

SHA1
1df5345580b1a99ecec45a195143fe7ed5ed87ca

SHA256
97bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96

SHA512
c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912

Download Submit
\Users\Public\vbc.exe
Filesize
394KB

MD5
8ac8e102ef0aeaebbd409103f9237c2f

SHA1
f4f167dd5a9453c5da024de5a58a78fa70bbb14d

SHA256
d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac

SHA512
3bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db

Download Submit
memory/884-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-161-0x0000000000640000-0x0000000000670000-memory.dmp

Filesize
192KB

Download
memory/884-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-164-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/884-163-0x00000000046A0000-0x00000000046E0000-memory.dmp

Filesize
256KB

Download
memory/1628-156-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2024-219-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download