agenttesla | 5ce58c49f5abc817c193a24964f2abb75db9caafe37d3901cba27cadb872e0a8

Analysis

max time kernel
153s
max time network
140s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 12:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2.docx
Size

16KB
MD5

74a1be4072cdff7d23292d65ad2112a3
SHA1

2df97ec0e50130b764d5b777a328da4ce5ba49d9
SHA256

5ce58c49f5abc817c193a24964f2abb75db9caafe37d3901cba27cadb872e0a8
SHA512

0fea42e33b8a3e3c56a1a0b570f3f087c901e1e5e4a6a93b34610bfe4c07808bb0cbab6ee543192cf21189f57b823edf01112812fec6b791005333e0ab475287
SSDEEP

384:uyXfh2hWqs8PL8wi4OEwH8TIbE91r2fRaJYdviiHI5//r:ucfKR5P3DOqnYJEMvXHI5/T

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.royalwealth.space
Port:
587
Username:
[email protected]
Password:
sQxM4AdAZ5kY7As
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	1488	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2992	wealth49980.exe
2312	wealth49980.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2312	2992	wealth49980.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1488	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2848	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	wealth49980.exe
2312	wealth49980.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	wealth49980.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2848	WINWORD.EXE
2848	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2992	1488	EQNEDT32.EXE	30
PID 1488 wrote to memory of 2992	1488	EQNEDT32.EXE	30
PID 1488 wrote to memory of 2992	1488	EQNEDT32.EXE	30
PID 1488 wrote to memory of 2992	1488	EQNEDT32.EXE	30
PID 2848 wrote to memory of 2392	2848	WINWORD.EXE	35
PID 2848 wrote to memory of 2392	2848	WINWORD.EXE	35
PID 2848 wrote to memory of 2392	2848	WINWORD.EXE	35
PID 2848 wrote to memory of 2392	2848	WINWORD.EXE	35
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36
PID 2992 wrote to memory of 2312	2992	wealth49980.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2392

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Roaming\wealth49980.exe
  "C:\Users\Admin\AppData\Roaming\wealth49980.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\wealth49980.exe
    "C:\Users\Admin\AppData\Roaming\wealth49980.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
cb73447f65f001f3efa72a7b3f292885

SHA1
aa05ae41a97b0af51d01bc38d19c0606a20e8b36

SHA256
0bc0f758e33cb35d0c90a43d0482c764f9978a5422937064c06853e5f9a67bf9

SHA512
5b4450a47c746a1e569b20e80376acec30fa92922d800f7bed951880d3c5a2efb51f61f8675a0c41230a52fbc9b5b98fecebc4fe3f89382ad53fd7379e56d790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3AC742F4-A2A6-4A52-A752-CDEEF8E6215D}.FSD

Filesize
128KB

MD5
b4ae7430910b1d49df0796225b19dc78

SHA1
b0a51dff586c86fcaa44b1681ef1bd9521ddc4b5

SHA256
202dd89209ed3d89a918a2ef9270a581562e83db4dcbe2295a1cb5e420a85193

SHA512
7809a5105f7e9a30c1cce766fc8f6592f86a15bf521d3f7058265fc452a5a5d82a8ddbfea7568114c7a657840f86f79739c2edbe233b12640de386cb56d06110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
c33c7549921c8cd06ffb74a33583f7c8

SHA1
bc4c3f9b8da1b0d1f02d5482eed4f353e8aba389

SHA256
f52ab4272c6b49a6459e0b4bab32ce525e28a0dff0fd45d51756a51a496d9c70

SHA512
fc0cf990a3215bb2b7afcbda0224f236290d5f6ddc2d6b73deabf3aad48f1276535ff256155be11bf31263edf68ad01d82ca8d6dc93873ba6f65a6e92e1dd017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
3b2f04d6f411506b5660f44cc4726c5f

SHA1
2b4459104dc67e3708fcf2cb874787733d366e26

SHA256
82fd9082f0a81d152ef33dacf26ba5ceb731f35f6a7570422a5312c985eca453

SHA512
e99fec1238e8a75670eed15a51b6ca5b63ce53a1b70d32a33158a66fe2cd5cff96999b8e6cae5b21858976eacd3ca9783f7df8a50e21f3c1064bba2735ec7eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{D7DE53FB-38DD-4253-9E76-76FC5D55D41A}.FSD

Filesize
128KB

MD5
33959b7e0264be64c7fffe7f4be983e4

SHA1
f837470b86b3077ca747b8ab703c78def32dc293

SHA256
4191a7f1144a49b6fd0ca70de7bee1d647ddccd98c1b59f0e1674db348e012ce

SHA512
89dfb2e37906515a03c2eadfd95126196eb7e8210faa041312b1a4d326951d0d30b82ee92fd7f043bb76f69200bad2f29c042eea589631d1616cf0f91ab8bea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\wealthzx[1].doc

Filesize
118KB

MD5
1f2373aba2cf8216002fcb4c5eefb2eb

SHA1
1e913703986cea4412fbeaff3e1c369d6667194e

SHA256
d401ada740ec43f6c95d41179032282255f7d786058d8a39bdb5c4251b2a69ca

SHA512
e79731b2d3900659dfe851142b5fa2ef363314d857928cfbf494ff5f17b437156da698b754c90f6b7a02d35708fc6225c69acc86acb936c9f7878508d921addd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D99B266C-4C24-4D31-8808-7EAC182E8F11}

Filesize
128KB

MD5
64855804cdba6db2d28160c02da7e048

SHA1
9a3c46f0fffa6234396437d26cd5a900a0687fa2

SHA256
6f318b3556249ee842851015a1310cd272d94401cb6cdc31dc22f4bbf0188450

SHA512
7dc4f71900b901599db601fe648e3bf1ab8615512f17ba3731d67442e4ab8673ef3d7b03887f4f7b8d1ffee1327f9582c75a51d3f651f18cb74ed27a97b487fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\wealth49980.exe

Filesize
722KB

MD5
bec11ca3a3a72fbb4b93e078f03b2e78

SHA1
7f58e12d01bf9e350a512644617d6d916a31b478

SHA256
d5268264e03035ae08616679859a12d0652285022884342333b068c226a209a5

SHA512
9fedd543abb7203dffbc90f0dc0cbc8e5e6ac723270dbc2358ca68127842103fd68a7e8cb262553120d92dce919f22fd2366ef6bc5ef2159874fe85a9ea4870c

Download Submit
C:\Users\Admin\AppData\Roaming\wealth49980.exe

Filesize
722KB

MD5
bec11ca3a3a72fbb4b93e078f03b2e78

SHA1
7f58e12d01bf9e350a512644617d6d916a31b478

SHA256
d5268264e03035ae08616679859a12d0652285022884342333b068c226a209a5

SHA512
9fedd543abb7203dffbc90f0dc0cbc8e5e6ac723270dbc2358ca68127842103fd68a7e8cb262553120d92dce919f22fd2366ef6bc5ef2159874fe85a9ea4870c

Download Submit
C:\Users\Admin\AppData\Roaming\wealth49980.exe

Filesize
722KB

MD5
bec11ca3a3a72fbb4b93e078f03b2e78

SHA1
7f58e12d01bf9e350a512644617d6d916a31b478

SHA256
d5268264e03035ae08616679859a12d0652285022884342333b068c226a209a5

SHA512
9fedd543abb7203dffbc90f0dc0cbc8e5e6ac723270dbc2358ca68127842103fd68a7e8cb262553120d92dce919f22fd2366ef6bc5ef2159874fe85a9ea4870c

Download Submit
C:\Users\Admin\AppData\Roaming\wealth49980.exe

Filesize
722KB

MD5
bec11ca3a3a72fbb4b93e078f03b2e78

SHA1
7f58e12d01bf9e350a512644617d6d916a31b478

SHA256
d5268264e03035ae08616679859a12d0652285022884342333b068c226a209a5

SHA512
9fedd543abb7203dffbc90f0dc0cbc8e5e6ac723270dbc2358ca68127842103fd68a7e8cb262553120d92dce919f22fd2366ef6bc5ef2159874fe85a9ea4870c

Download Submit
\Users\Admin\AppData\Roaming\wealth49980.exe

Filesize
722KB

MD5
bec11ca3a3a72fbb4b93e078f03b2e78

SHA1
7f58e12d01bf9e350a512644617d6d916a31b478

SHA256
d5268264e03035ae08616679859a12d0652285022884342333b068c226a209a5

SHA512
9fedd543abb7203dffbc90f0dc0cbc8e5e6ac723270dbc2358ca68127842103fd68a7e8cb262553120d92dce919f22fd2366ef6bc5ef2159874fe85a9ea4870c

Download Submit
memory/2312-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-136-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2312-135-0x000000006B1B0000-0x000000006B89E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-134-0x000000006B1B0000-0x000000006B89E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-2-0x000000007177D000-0x0000000071788000-memory.dmp

Filesize
44KB

Download
memory/2848-0-0x000000002F031000-0x000000002F032000-memory.dmp

Filesize
4KB

Download
memory/2848-116-0x000000007177D000-0x0000000071788000-memory.dmp

Filesize
44KB

Download
memory/2848-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2992-118-0x0000000005A30000-0x0000000005AC0000-memory.dmp

Filesize
576KB

Download
memory/2992-117-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/2992-96-0x0000000000070000-0x000000000012A000-memory.dmp

Filesize
744KB

Download
memory/2992-104-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2992-103-0x0000000000760000-0x000000000077A000-memory.dmp

Filesize
104KB

Download
memory/2992-133-0x000000006B1B0000-0x000000006B89E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-102-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/2992-97-0x000000006B1B0000-0x000000006B89E000-memory.dmp

Filesize
6.9MB

Download