Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-04-2023 07:51
Static task
static1
Behavioral task
behavioral1
Sample
Overdue Statement of Account_1.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Overdue Statement of Account_1.docx
Resource
win10v2004-20230220-en
General
-
Target
Overdue Statement of Account_1.docx
-
Size
10KB
-
MD5
397c47ede0b01a7145478c1c1ebfecad
-
SHA1
2f8398ddc426bcbaac364e6339b77b8e807c8fa4
-
SHA256
c14068b312c53040f23e40aca6a6251d2330b1ec6874061b50ebb7e6800fda29
-
SHA512
7eed78e77302ca07dca6926bf1deb2a0c0630d749811a1fc3d45e19aefb88b0ccb953a3e3782cb43901dc72bda73e8b5e9dd466a2421d5a16c6fb08a51bd94af
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVORtKz5SEzBC4vNq6sM63SR:SPXuT+xXOVOSdhlqH2
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1268 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\Common\Offline\Files\http://1806682825/e/###################################.doc WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exeihznenbjwa.exeihznenbjwa.exepid process 2000 vbc.exe 1532 ihznenbjwa.exe 1496 ihznenbjwa.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEvbc.exeihznenbjwa.exepid process 1268 EQNEDT32.EXE 2000 vbc.exe 1532 ihznenbjwa.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ihznenbjwa.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ihznenbjwa.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ihznenbjwa.exe Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ihznenbjwa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ihznenbjwa.exeihznenbjwa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\ajfo = "C:\\Users\\Admin\\AppData\\Roaming\\xsclhqmvfbktpy\\uenjscxgcluq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ihznenbjwa.exe\" C:\\Users\\Admin\\A" ihznenbjwa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" ihznenbjwa.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ihznenbjwa.exedescription pid process target process PID 1532 set thread context of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1240 WINWORD.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ihznenbjwa.exepid process 1532 ihznenbjwa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ihznenbjwa.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1496 ihznenbjwa.exe Token: SeShutdownPrivilege 1240 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1240 WINWORD.EXE 1240 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEvbc.exeihznenbjwa.exeWINWORD.EXEdescription pid process target process PID 1268 wrote to memory of 2000 1268 EQNEDT32.EXE vbc.exe PID 1268 wrote to memory of 2000 1268 EQNEDT32.EXE vbc.exe PID 1268 wrote to memory of 2000 1268 EQNEDT32.EXE vbc.exe PID 1268 wrote to memory of 2000 1268 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1532 2000 vbc.exe ihznenbjwa.exe PID 2000 wrote to memory of 1532 2000 vbc.exe ihznenbjwa.exe PID 2000 wrote to memory of 1532 2000 vbc.exe ihznenbjwa.exe PID 2000 wrote to memory of 1532 2000 vbc.exe ihznenbjwa.exe PID 1532 wrote to memory of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe PID 1532 wrote to memory of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe PID 1532 wrote to memory of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe PID 1532 wrote to memory of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe PID 1240 wrote to memory of 868 1240 WINWORD.EXE splwow64.exe PID 1240 wrote to memory of 868 1240 WINWORD.EXE splwow64.exe PID 1240 wrote to memory of 868 1240 WINWORD.EXE splwow64.exe PID 1240 wrote to memory of 868 1240 WINWORD.EXE splwow64.exe PID 1532 wrote to memory of 1496 1532 ihznenbjwa.exe ihznenbjwa.exe -
outlook_office_path 1 IoCs
Processes:
ihznenbjwa.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ihznenbjwa.exe -
outlook_win_path 1 IoCs
Processes:
ihznenbjwa.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ihznenbjwa.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Overdue Statement of Account_1.docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe"C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe" C:\Users\Admin\AppData\Local\Temp\szvmsm.l3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe"C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{38BDF1A0-344F-4FC0-86E4-B3AD28DED0E6}.FSDFilesize
128KB
MD51e73098a32e0097c8f87f18c62c02f93
SHA1d96fe0f074ae1892f1de83589fa4d8d0f9766fb5
SHA2565f5cf59becd3f270c66b48b696cf5af2fa4e5bfc93c26a59334f6a6a3edd0d9d
SHA512e573811e4a3491668c78d56a655c75752ae7d07500438a7536478a266485ac39bff6b85debe03fb4a3134342b85e23840a608a887de706b31b9583199c680ec7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5407e2481745ff99e5ed574380f7a6459
SHA1f7a9934c54338b073f5fd6ff3200dcbb197e1a7c
SHA256d3c9427dd905f4262656fa9886c274fa611b3ddb1d2ae40b540cce9efd90c3d2
SHA5123471e256f2cef6d0d145cb8e73b3249dcc5034e874005368c46e673d2a9ba778921cf57d03dfb9fc600f5766f1318ee3a5c3ef0fbf093f9763d9e08149368553
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{8AEDA2C6-BA48-49EA-BFED-F27F238336AF}.FSDFilesize
128KB
MD5a69e90d5428c853d6eab11ea4daddbb5
SHA1187b215868a00fc7e7633bffc7abbe11e55fed6e
SHA2564dc30778272816de9db989f776f05ef58e4f7296ab0d49fdfe05f1c8d22757fa
SHA5123e156a60463a6e20552d71f32e521c407c429f478bfac04fa1a76e949cd8cc2bd2f9aa7a0b4aff62b23a64c5ffdc8a814958f0a4583832edd169c74f02353fac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EV74ZOZO\###################################[1].docFilesize
28KB
MD50817ef065eab1d86f70a24c0100a62e2
SHA1382996b5049aa9dc672795d8dfa765697b1c852f
SHA2560148aaa1bc49312cada5408720ed9f547044dbed42cac01f0fea834bda8b5eac
SHA51262fdb904ff724b73fa1a16d21f29b89092f04b6189ee59e76860709d9aaf7ffae4ef1e0e381ccd17815377b2bcd8d155e560f74791c36f2b9386b20b3261b25d
-
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exeFilesize
87KB
MD522d7f566b02de8e7b8a83e39964ca949
SHA1e9a92597cdb3ca0882da5de1d4cf7606ef11152b
SHA2565dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4
SHA512a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8
-
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exeFilesize
87KB
MD522d7f566b02de8e7b8a83e39964ca949
SHA1e9a92597cdb3ca0882da5de1d4cf7606ef11152b
SHA2565dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4
SHA512a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8
-
C:\Users\Admin\AppData\Local\Temp\ihznenbjwa.exeFilesize
87KB
MD522d7f566b02de8e7b8a83e39964ca949
SHA1e9a92597cdb3ca0882da5de1d4cf7606ef11152b
SHA2565dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4
SHA512a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8
-
C:\Users\Admin\AppData\Local\Temp\kdxioiyj.wjFilesize
263KB
MD569676c152b9d72d706a62d0af91b987d
SHA1fa6f22c8a4f5b79eb21c264307f5c27935d18da4
SHA256ff55faa58e8b8a72ae324674643115ac94b7332f584da357f836b607e184a136
SHA512767fe6c8d65d7ee37836dd4b67e91c4d9a334537e003e1b0ee56d8927214cb10841b506564284e6a4056d5704028e95ff95d42a2b5ba3af5dd2a32e9ac0fe9da
-
C:\Users\Admin\AppData\Local\Temp\szvmsm.lFilesize
7KB
MD545993e1d0ecad606c24bf9169455611b
SHA17710e7d90ae346a13d0c67aab4c50b9e60026656
SHA2562bc5aa1a124836de79680477dbb404cd4a604cc6cad9d9871930c2c2efd7a8e8
SHA512b63ec0393c4a11945ea8f9a430ba42fca111c1be7edc2c2a5233a7e1440296a2bc963fbba6345d1190d635fdeb92df279fb1f2e78563a5e4269088c4e09d86e0
-
C:\Users\Admin\AppData\Local\Temp\{DBA12EAC-02F9-4E24-982C-28B7EC310482}Filesize
128KB
MD5d0d56a3fa90f29f0c16ff42f5666ac99
SHA17915da6b2bab6140d5b0468e24c9c1be6d4dd10f
SHA25633a911b5b946e73a4ef31329366b7280e8aafb3d9661bb815ee42dcf706f289b
SHA512817831d7f56a4547612edb19271403c803d6996f672bbe01765ee7b6ada00c35b13ca76d05f280c95f1fa90671215af2b3773155cdcb88fa6d980733e55f11c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD58411ca662f4b8fdafa17983aa7b6c844
SHA18f1340aee72450782d7fee2b9e33da71b668c0d4
SHA256a9414ec3c47913da0e179b9da1aad7f2bdaeac30c42dd80082dd8e8db7495ccc
SHA5128ea2f3066d3dd86162e57cf2d6b3177d061237b5361f35faf5c01c5b76ddf434c6c1fc26b8b1f0a5d028578c3ff02ebd3121790f75cd23789c84cbef7d500fc1
-
C:\Users\Public\vbc.exeFilesize
305KB
MD5fd4d349554b93a53a3d5540a92f251c0
SHA1a1b582b262d0088ebd284686d85ef5e5a7a14823
SHA25636b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35
SHA512415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7
-
C:\Users\Public\vbc.exeFilesize
305KB
MD5fd4d349554b93a53a3d5540a92f251c0
SHA1a1b582b262d0088ebd284686d85ef5e5a7a14823
SHA25636b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35
SHA512415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7
-
C:\Users\Public\vbc.exeFilesize
305KB
MD5fd4d349554b93a53a3d5540a92f251c0
SHA1a1b582b262d0088ebd284686d85ef5e5a7a14823
SHA25636b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35
SHA512415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7
-
\Users\Admin\AppData\Local\Temp\ihznenbjwa.exeFilesize
87KB
MD522d7f566b02de8e7b8a83e39964ca949
SHA1e9a92597cdb3ca0882da5de1d4cf7606ef11152b
SHA2565dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4
SHA512a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8
-
\Users\Admin\AppData\Local\Temp\ihznenbjwa.exeFilesize
87KB
MD522d7f566b02de8e7b8a83e39964ca949
SHA1e9a92597cdb3ca0882da5de1d4cf7606ef11152b
SHA2565dbbc8f2783b027318c33222847342819583626c8567e77f015c1ccbf23bbdb4
SHA512a090250d72446751135ae8ad7919e1f42c610344540cdfa139c9b35a2d38ebaf6b2b01b8c386a54639aba6fd1a7657ee9f111dbb822a3ce9415172cf51cad2f8
-
\Users\Public\vbc.exeFilesize
305KB
MD5fd4d349554b93a53a3d5540a92f251c0
SHA1a1b582b262d0088ebd284686d85ef5e5a7a14823
SHA25636b0fbab2618611a165f399650cd3581a3a0723687164cd8482be37957ac4f35
SHA512415e5513532dadfb82ff5968009874269387d37307f8b2828dfc0399607d9cbe33a1186bd8a59f976b0eb515e83581a702233f4cc6e70984b6844c24b759d9e7
-
memory/1240-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1240-218-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1496-157-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1496-161-0x0000000000840000-0x0000000000870000-memory.dmpFilesize
192KB
-
memory/1496-162-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/1496-163-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/1496-186-0x0000000004710000-0x0000000004750000-memory.dmpFilesize
256KB
-
memory/1496-159-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/1496-154-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB