agenttesla | c14068b312c53040f23e40aca6a6251d2330b1ec6874061b50ebb7e6800fda29

Analysis

max time kernel
151s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-04-2023 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Overdue Statement of Account_1.docx
Size

10KB
MD5

397c47ede0b01a7145478c1c1ebfecad
SHA1

2f8398ddc426bcbaac364e6339b77b8e807c8fa4
SHA256

c14068b312c53040f23e40aca6a6251d2330b1ec6874061b50ebb7e6800fda29
SHA512

7eed78e77302ca07dca6926bf1deb2a0c0630d749811a1fc3d45e19aefb88b0ccb953a3e3782cb43901dc72bda73e8b5e9dd466a2421d5a16c6fb08a51bd94af
SSDEEP

192:ScIMmtPGT7G/bIwXOVORtKz5SEzBC4vNq6sM63SR:SPXuT+xXOVOSdhlqH2

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1268 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1268	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Common\Offline\Files\http://1806682825/e/###################################.doc	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 3 IoCs

Processes:

vbc.exeihznenbjwa.exeihznenbjwa.exe

pid process

2000 vbc.exe
1532 ihznenbjwa.exe
1496 ihznenbjwa.exe
Loads dropped DLL 3 IoCs

Processes:

EQNEDT32.EXEvbc.exeihznenbjwa.exe

pid process

1268 EQNEDT32.EXE
2000 vbc.exe
1532 ihznenbjwa.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2000	vbc.exe
1532	ihznenbjwa.exe
1496	ihznenbjwa.exe

pid	process
1268	EQNEDT32.EXE
2000	vbc.exe
1532	ihznenbjwa.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ihznenbjwa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihznenbjwa.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihznenbjwa.exe
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihznenbjwa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ihznenbjwa.exeihznenbjwa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\ajfo = "C:\\Users\\Admin\\AppData\\Roaming\\xsclhqmvfbktpy\\uenjscxgcluq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ihznenbjwa.exe\" C:\\Users\\Admin\\A"	ihznenbjwa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	ihznenbjwa.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.ipify.org
9 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

ihznenbjwa.exe

description pid process target process

PID 1532 set thread context of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1268 EQNEDT32.EXE

flow	ioc
10	api.ipify.org
9	api.ipify.org

description	pid	process	target process
PID 1532 set thread context of 1496	1532	ihznenbjwa.exe	ihznenbjwa.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1268	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1240 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ihznenbjwa.exe

pid process

1532 ihznenbjwa.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ihznenbjwa.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1496 ihznenbjwa.exe
Token: SeShutdownPrivilege 1240 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1240 WINWORD.EXE
1240 WINWORD.EXE

pid	process
1240	WINWORD.EXE

pid	process
1532	ihznenbjwa.exe

description	pid	process
Token: SeDebugPrivilege	1496	ihznenbjwa.exe
Token: SeShutdownPrivilege	1240	WINWORD.EXE

pid	process
1240	WINWORD.EXE
1240	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEvbc.exeihznenbjwa.exeWINWORD.EXE

description	pid	process	target process
PID 1268 wrote to memory of 2000	1268	EQNEDT32.EXE	vbc.exe
PID 1268 wrote to memory of 2000	1268	EQNEDT32.EXE	vbc.exe
PID 1268 wrote to memory of 2000	1268	EQNEDT32.EXE	vbc.exe
PID 1268 wrote to memory of 2000	1268	EQNEDT32.EXE	vbc.exe
PID 2000 wrote to memory of 1532	2000	vbc.exe	ihznenbjwa.exe
PID 2000 wrote to memory of 1532	2000	vbc.exe	ihznenbjwa.exe
PID 2000 wrote to memory of 1532	2000	vbc.exe	ihznenbjwa.exe
PID 2000 wrote to memory of 1532	2000	vbc.exe	ihznenbjwa.exe
PID 1532 wrote to memory of 1496	1532	ihznenbjwa.exe	ihznenbjwa.exe
PID 1532 wrote to memory of 1496	1532	ihznenbjwa.exe	ihznenbjwa.exe
PID 1532 wrote to memory of 1496	1532	ihznenbjwa.exe	ihznenbjwa.exe
PID 1532 wrote to memory of 1496	1532	ihznenbjwa.exe	ihznenbjwa.exe
PID 1240 wrote to memory of 868	1240	WINWORD.EXE	splwow64.exe
PID 1240 wrote to memory of 868	1240	WINWORD.EXE	splwow64.exe
PID 1240 wrote to memory of 868	1240	WINWORD.EXE	splwow64.exe
PID 1240 wrote to memory of 868	1240	WINWORD.EXE	splwow64.exe
PID 1532 wrote to memory of 1496	1532	ihznenbjwa.exe	ihznenbjwa.exe

outlook_office_path 1 IoCs

Processes:

ihznenbjwa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihznenbjwa.exe

outlook_win_path 1 IoCs

Processes:

ihznenbjwa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihznenbjwa.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Overdue Statement of Account_1.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:868

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
"C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe" C:\Users\Admin\AppData\Local\Temp\szvmsm.l
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
"C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{38BDF1A0-344F-4FC0-86E4-B3AD28DED0E6}.FSD
Filesize
128KB

MD5
1e73098a32e0097c8f87f18c62c02f93

SHA1
d96fe0f074ae1892f1de83589fa4d8d0f9766fb5

SHA256
5f5cf59becd3f270c66b48b696cf5af2fa4e5bfc93c26a59334f6a6a3edd0d9d

SHA512
e573811e4a3491668c78d56a655c75752ae7d07500438a7536478a266485ac39bff6b85debe03fb4a3134342b85e23840a608a887de706b31b9583199c680ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
407e2481745ff99e5ed574380f7a6459

SHA1
f7a9934c54338b073f5fd6ff3200dcbb197e1a7c

SHA256
d3c9427dd905f4262656fa9886c274fa611b3ddb1d2ae40b540cce9efd90c3d2

SHA512
3471e256f2cef6d0d145cb8e73b3249dcc5034e874005368c46e673d2a9ba778921cf57d03dfb9fc600f5766f1318ee3a5c3ef0fbf093f9763d9e08149368553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8AEDA2C6-BA48-49EA-BFED-F27F238336AF}.FSD
Filesize
128KB

MD5
a69e90d5428c853d6eab11ea4daddbb5

SHA1
187b215868a00fc7e7633bffc7abbe11e55fed6e

SHA256
4dc30778272816de9db989f776f05ef58e4f7296ab0d49fdfe05f1c8d22757fa

SHA512
3e156a60463a6e20552d71f32e521c407c429f478bfac04fa1a76e949cd8cc2bd2f9aa7a0b4aff62b23a64c5ffdc8a814958f0a4583832edd169c74f02353fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\###################################[1].doc
Filesize
28KB

MD5
0817ef065eab1d86f70a24c0100a62e2

SHA1
382996b5049aa9dc672795d8dfa765697b1c852f

SHA256
0148aaa1bc49312cada5408720ed9f547044dbed42cac01f0fea834bda8b5eac

SHA512
62fdb904ff724b73fa1a16d21f29b89092f04b6189ee59e76860709d9aaf7ffae4ef1e0e381ccd17815377b2bcd8d155e560f74791c36f2b9386b20b3261b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
Filesize
87KB

MD5
22d7f566b02de8e7b8a83e39964ca949

SHA1
e9a92597cdb3ca0882da5de1d4cf7606ef11152b

SHA256
5dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4

SHA512
a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
Filesize
87KB

MD5
22d7f566b02de8e7b8a83e39964ca949

SHA1
e9a92597cdb3ca0882da5de1d4cf7606ef11152b

SHA256
5dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4

SHA512
a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
Filesize
87KB

MD5
22d7f566b02de8e7b8a83e39964ca949

SHA1
e9a92597cdb3ca0882da5de1d4cf7606ef11152b

SHA256
5dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4

SHA512
a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdxioiyj.wj
Filesize
263KB

MD5
69676c152b9d72d706a62d0af91b987d

SHA1
fa6f22c8a4f5b79eb21c264307f5c27935d18da4

SHA256
ff55faa58e8b8a72ae324674643115ac94b7332f584da357f836b607e184a136

SHA512
767fe6c8d65d7ee37836dd4b67e91c4d9a334537e003e1b0ee56d8927214cb10841b506564284e6a4056d5704028e95ff95d42a2b5ba3af5dd2a32e9ac0fe9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\szvmsm.l
Filesize
7KB

MD5
45993e1d0ecad606c24bf9169455611b

SHA1
7710e7d90ae346a13d0c67aab4c50b9e60026656

SHA256
2bc5aa1a124836de79680477dbb404cd4a604cc6cad9d9871930c2c2efd7a8e8

SHA512
b63ec0393c4a11945ea8f9a430ba42fca111c1be7edc2c2a5233a7e1440296a2bc963fbba6345d1190d635fdeb92df279fb1f2e78563a5e4269088c4e09d86e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DBA12EAC-02F9-4E24-982C-28B7EC310482}
Filesize
128KB

MD5
d0d56a3fa90f29f0c16ff42f5666ac99

SHA1
7915da6b2bab6140d5b0468e24c9c1be6d4dd10f

SHA256
33a911b5b946e73a4ef31329366b7280e8aafb3d9661bb815ee42dcf706f289b

SHA512
817831d7f56a4547612edb19271403c803d6996f672bbe01765ee7b6ada00c35b13ca76d05f280c95f1fa90671215af2b3773155cdcb88fa6d980733e55f11c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
8411ca662f4b8fdafa17983aa7b6c844

SHA1
8f1340aee72450782d7fee2b9e33da71b668c0d4

SHA256
a9414ec3c47913da0e179b9da1aad7f2bdaeac30c42dd80082dd8e8db7495ccc

SHA512
8ea2f3066d3dd86162e57cf2d6b3177d061237b5361f35faf5c01c5b76ddf434c6c1fc26b8b1f0a5d028578c3ff02ebd3121790f75cd23789c84cbef7d500fc1

Download Submit
C:\Users\Public\vbc.exe
Filesize
305KB

MD5
fd4d349554b93a53a3d5540a92f251c0

SHA1
a1b582b262d0088ebd284686d85ef5e5a7a14823

SHA256
36b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35

SHA512
415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7

Download Submit
C:\Users\Public\vbc.exe
Filesize
305KB

MD5
fd4d349554b93a53a3d5540a92f251c0

SHA1
a1b582b262d0088ebd284686d85ef5e5a7a14823

SHA256
36b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35

SHA512
415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7

Download Submit
C:\Users\Public\vbc.exe
Filesize
305KB

MD5
fd4d349554b93a53a3d5540a92f251c0

SHA1
a1b582b262d0088ebd284686d85ef5e5a7a14823

SHA256
36b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35

SHA512
415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7

Download Submit
\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
Filesize
87KB

MD5
22d7f566b02de8e7b8a83e39964ca949

SHA1
e9a92597cdb3ca0882da5de1d4cf7606ef11152b

SHA256
5dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4

SHA512
a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8

Download Submit
\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe
Filesize
87KB

MD5
22d7f566b02de8e7b8a83e39964ca949

SHA1
e9a92597cdb3ca0882da5de1d4cf7606ef11152b

SHA256
5dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4

SHA512
a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8

Download Submit
\Users\Public\vbc.exe
Filesize
305KB

MD5
fd4d349554b93a53a3d5540a92f251c0

SHA1
a1b582b262d0088ebd284686d85ef5e5a7a14823

SHA256
36b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35

SHA512
415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7

Download Submit
memory/1240-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1240-218-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1496-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-161-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/1496-162-0x0000000004710000-0x0000000004750000-memory.dmp

Filesize
256KB

Download
memory/1496-163-0x0000000004710000-0x0000000004750000-memory.dmp

Filesize
256KB

Download
memory/1496-186-0x0000000004710000-0x0000000004750000-memory.dmp

Filesize
256KB

Download
memory/1496-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download