Analysis
-
max time kernel
145s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-04-2023 10:13
Static task
static1
Behavioral task
behavioral1
Sample
Order 274791085.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order 274791085.docx
Resource
win10v2004-20230220-en
General
-
Target
Order 274791085.docx
-
Size
10KB
-
MD5
194e686634e2515c423cb0cd5f9c981a
-
SHA1
b792d00fecc27915c2a28490be4ff2e8228583e1
-
SHA256
0a8e2816b7403cd8f517b41571ad43bb532badb8638f088cadd66dfc7c1e81b9
-
SHA512
99067893db72452ff46b2fb195497427923dee9c020a6137ed178c75c0a3a98bb06e25b2a8bf509b539722dc46302a8b9590a89390225410290175e4fa5f7ed8
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOku5SEzBC4vNq6sM63qR:SPXuT+xXOVOZhlqH+
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 832 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\Common\Offline\Files\http://1806682825/e/##############################.doc WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.execoabkgfaqv.execoabkgfaqv.exepid process 1344 vbc.exe 1628 coabkgfaqv.exe 884 coabkgfaqv.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.execoabkgfaqv.exepid process 832 EQNEDT32.EXE 1344 vbc.exe 1628 coabkgfaqv.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
coabkgfaqv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
coabkgfaqv.execoabkgfaqv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\yueajsnwgclhqa = "C:\\Users\\Admin\\AppData\\Roaming\\afoj\\scxhqmvrbkgp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\coabkgfaqv.exe\" C:\\Users\\Admin\\AppData\\Loc" coabkgfaqv.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" coabkgfaqv.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 8 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
coabkgfaqv.exedescription pid process target process PID 1628 set thread context of 884 1628 coabkgfaqv.exe coabkgfaqv.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2024 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
coabkgfaqv.exepid process 1628 coabkgfaqv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
coabkgfaqv.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 884 coabkgfaqv.exe Token: SeShutdownPrivilege 2024 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2024 WINWORD.EXE 2024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeWINWORD.EXEcoabkgfaqv.exedescription pid process target process PID 832 wrote to memory of 1344 832 EQNEDT32.EXE vbc.exe PID 832 wrote to memory of 1344 832 EQNEDT32.EXE vbc.exe PID 832 wrote to memory of 1344 832 EQNEDT32.EXE vbc.exe PID 832 wrote to memory of 1344 832 EQNEDT32.EXE vbc.exe PID 1344 wrote to memory of 1628 1344 vbc.exe coabkgfaqv.exe PID 1344 wrote to memory of 1628 1344 vbc.exe coabkgfaqv.exe PID 1344 wrote to memory of 1628 1344 vbc.exe coabkgfaqv.exe PID 1344 wrote to memory of 1628 1344 vbc.exe coabkgfaqv.exe PID 2024 wrote to memory of 568 2024 WINWORD.EXE splwow64.exe PID 2024 wrote to memory of 568 2024 WINWORD.EXE splwow64.exe PID 2024 wrote to memory of 568 2024 WINWORD.EXE splwow64.exe PID 2024 wrote to memory of 568 2024 WINWORD.EXE splwow64.exe PID 1628 wrote to memory of 884 1628 coabkgfaqv.exe coabkgfaqv.exe PID 1628 wrote to memory of 884 1628 coabkgfaqv.exe coabkgfaqv.exe PID 1628 wrote to memory of 884 1628 coabkgfaqv.exe coabkgfaqv.exe PID 1628 wrote to memory of 884 1628 coabkgfaqv.exe coabkgfaqv.exe PID 1628 wrote to memory of 884 1628 coabkgfaqv.exe coabkgfaqv.exe -
outlook_office_path 1 IoCs
Processes:
coabkgfaqv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe -
outlook_win_path 1 IoCs
Processes:
coabkgfaqv.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 coabkgfaqv.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Order 274791085.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe" C:\Users\Admin\AppData\Local\Temp\dycbhq.amb3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2BFE025D-C0FD-4792-BCE3-B08387AACA80}.FSDFilesize
128KB
MD52a9ddcca1ed290499ffa8c945cc1fee8
SHA1f784aaba0d7e96f77ac092576da84f72563ef4e5
SHA256f18f107da7efe271242b9844932dd882562ec4e42d16a5881eae54c219770019
SHA51216747564fb56b3f69801bb6799f088959e67c5dbffd486883feb7e7b98d0485dd71387079eaa051cf45bfface56a6fa7e96c95d914d26bc9f7eedc8529f93017
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD553dbc1f8464b226d577ca2b1fc956ffd
SHA1072440a300fcf305fa823598395f3b8a5ea732d6
SHA256d595ceec19a55187e3d3526ce7a3860b1f28be0886bdf3abf3b52cd8b0f0394e
SHA5121643e3a6741022a3f14bc9a81315a0d93df0a81fff1170c73d385c72a783947a720b6fd62435e626e457790e03bc57bf0f995677cdb3d61a8b8bab2138fb8e11
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{391A7DD0-C22F-4C21-84E8-9AB35B03D724}.FSDFilesize
128KB
MD536fb6424f442901d30b701b403d636cf
SHA165b69792f457c9fc7386fb0c1fa786e7c6e58d8c
SHA256d46a451f3d414b7aa4ca1266a7449326c5771921476572195a688e12d49a2fba
SHA512c820925ca5503f8eb3ef6e557c37931366a2c4124bdb3bfcafd2db156b85cf8603058af0c1eae39ff5a26a5afd78214ff649e7d0770e96533fcb0bf55cd3e84f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VQ77JNZF\##############################[1].docFilesize
28KB
MD5533f738ac129a1b829a11c860fa4908e
SHA18e77016f1fbcde6919c134315b4c056e62ca989c
SHA256e59bcb9e5e2c71c4cb90b0b591d3588215a2aeeb12d1aed39fcf0552ed1574b5
SHA5126294e673916f94a28f1be4586fdc9f0876c3696851649999ccefa3d47dd84a70aa0206f5479901adbdde16b32b71caffc6f1e5518003e7461aa670ddcfdd69ea
-
C:\Users\Admin\AppData\Local\Temp\avnmxsbwm.vFilesize
264KB
MD52e10d56d6bb423e3299caf3ec262b56a
SHA1cae94328f7ae06cfe325e75838d6929dd465c33c
SHA256eea89eb51875c0e96a26975ae1948d531c93a1bee21e9a3ecbc1e785cf09fb8c
SHA51283cfdc91c9d6fb03c7d6101d13092d208f918f62383ebdcf81548f5288c35c9dbe1038ebf16420200d7c1f7878062a40b57a10256fdce66d89b659f7018e54cf
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
C:\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
C:\Users\Admin\AppData\Local\Temp\dycbhq.ambFilesize
8KB
MD5af50365f753838b41fb0cab5d05de242
SHA1a2681388f0f5cdadf636bc829063feaa61cc802e
SHA256358804a14ac8580fca713f02f814f79a2f7e14e4a304452aa4f6cb5ab0f4fdad
SHA512a6bb9f30579e879512c8617b64e124db7feb74d0346df5eca791317382cd27f044a1b24c3eff09aca61232741751cda1428513dcf882690c7e0e6604d52583bf
-
C:\Users\Admin\AppData\Local\Temp\{7B91488B-298E-4EAE-81DC-339AD0F0A3C0}Filesize
128KB
MD593784375058176f4c364d899ba56d4f5
SHA16c6a516e369680d9d8b4148cee541387715b7d57
SHA256af2e31445ae9c22a9f3ea46e1587d146ce6c601ebab626de6903e306e98a8b7c
SHA512a4406256c134e2bcd0b7a9675d82983f8ff1ce571ac83332b4409a3cac9dfe3f356775554782923663a336ad7a2e9581451691e6416490c61b9497503b3ade94
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD52d1489d6725a6b9e4751c00f1206798e
SHA1657820c821904c4598c9d272bdf975008cae7072
SHA256a7c41099aa4817949a1ff81ac768d96c99b645004e86c1cb5e2891e29779cc3e
SHA512cf287bcec5a1dc72aac9de0e12a4ee6bcd3a7288033114987c32b8f68e6fe9fddae19e81d5e9321b5e2234aa93d66a558ce1c6402ec83512e825ddd242650c99
-
C:\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
C:\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
C:\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
\Users\Admin\AppData\Local\Temp\coabkgfaqv.exeFilesize
323KB
MD59dddb1befc9b63097b0348e7a6d20e83
SHA11df5345580b1a99ecec45a195143fe7ed5ed87ca
SHA25697bc4f746b5c536e7cfe6f180f5a260d441eeea798b624d8beb1e8add3e13a96
SHA512c8fbca4fc543e59286d57418ca40dc5fffd1db00d3a60096f4be3cbb7738089a6bc033b53099a9df24032e0418a46fe48d8304bc975835523c2f9ed31e1e9912
-
\Users\Public\vbc.exeFilesize
394KB
MD58ac8e102ef0aeaebbd409103f9237c2f
SHA1f4f167dd5a9453c5da024de5a58a78fa70bbb14d
SHA256d44ee4f9fdee764e54c2155948efde9f969b515d4ddc740e6cb192d7d8328dac
SHA5123bc1242a9cca06490c12678c92b9f7a758ce69601ad191c448a9946d6fdae90e8f43ef0b68a4b28dace38dd93b03ae7bdacacc65f738b1c5ede61774212946db
-
memory/884-162-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/884-158-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/884-161-0x0000000000640000-0x0000000000670000-memory.dmpFilesize
192KB
-
memory/884-154-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/884-164-0x00000000046A0000-0x00000000046E0000-memory.dmpFilesize
256KB
-
memory/884-163-0x00000000046A0000-0x00000000046E0000-memory.dmpFilesize
256KB
-
memory/1628-156-0x0000000000250000-0x0000000000253000-memory.dmpFilesize
12KB
-
memory/2024-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2024-219-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB