Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
28/11/2023, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.xls
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
gunzipped.xls
Resource
win10v2004-20231127-en
General
-
Target
gunzipped.xls
-
Size
391KB
-
MD5
2ac8a298c47d91f127ff8951e5e00fd4
-
SHA1
bf41a1fb5658b33d886ddc20b7d424c6dbd91d15
-
SHA256
49cbd743a040465d6757e0e5d408d674624053368967940cd8c51ac97925bfc8
-
SHA512
856988af820bd0a102b4b917e2c66840d6c8f41f5adc45f21df11ccf95061ff8476fbc98a1a069a8d514f2ad903b1ace95d74e8781149c994df772b1b3a7494c
-
SSDEEP
6144:Zn1m9kdbk71u+FZetJs0hdMJUXWDYWBXVH11IyqyLuJvsEKEY6Uvo:ZOee1CtqSdLWDYMZ1SFPsETYPvo
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.acc-engineering.xyz - Port:
21 - Username:
[email protected] - Password:
chinonsonkechi22#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 2020 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 3 IoCs
pid Process 1148 wlanext.exe 1092 wlanext.exe 1704 wlanext.exe -
Loads dropped DLL 2 IoCs
pid Process 2020 EQNEDT32.EXE 2020 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Roaming\\winrar\\winrar.exe" wlanext.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 api.ipify.org 13 api.ipify.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1148 set thread context of 1704 1148 wlanext.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2332 schtasks.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2020 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2244 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1148 wlanext.exe 1148 wlanext.exe 1704 wlanext.exe 1704 wlanext.exe 2092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1148 wlanext.exe Token: SeDebugPrivilege 1704 wlanext.exe Token: SeDebugPrivilege 2092 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2244 EXCEL.EXE 2244 EXCEL.EXE 2244 EXCEL.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1148 2020 EQNEDT32.EXE 31 PID 2020 wrote to memory of 1148 2020 EQNEDT32.EXE 31 PID 2020 wrote to memory of 1148 2020 EQNEDT32.EXE 31 PID 2020 wrote to memory of 1148 2020 EQNEDT32.EXE 31 PID 2308 wrote to memory of 2760 2308 WINWORD.EXE 32 PID 2308 wrote to memory of 2760 2308 WINWORD.EXE 32 PID 2308 wrote to memory of 2760 2308 WINWORD.EXE 32 PID 2308 wrote to memory of 2760 2308 WINWORD.EXE 32 PID 1148 wrote to memory of 2092 1148 wlanext.exe 34 PID 1148 wrote to memory of 2092 1148 wlanext.exe 34 PID 1148 wrote to memory of 2092 1148 wlanext.exe 34 PID 1148 wrote to memory of 2092 1148 wlanext.exe 34 PID 1148 wrote to memory of 2332 1148 wlanext.exe 36 PID 1148 wrote to memory of 2332 1148 wlanext.exe 36 PID 1148 wrote to memory of 2332 1148 wlanext.exe 36 PID 1148 wrote to memory of 2332 1148 wlanext.exe 36 PID 1148 wrote to memory of 1092 1148 wlanext.exe 38 PID 1148 wrote to memory of 1092 1148 wlanext.exe 38 PID 1148 wrote to memory of 1092 1148 wlanext.exe 38 PID 1148 wrote to memory of 1092 1148 wlanext.exe 38 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39 PID 1148 wrote to memory of 1704 1148 wlanext.exe 39
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\gunzipped.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2244
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2760
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PyBQOQK.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PyBQOQK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E52.tmp"3⤵
- Creates scheduled task(s)
PID:2332
-
-
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Executes dropped EXE
PID:1092
-
-
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD56f0c59753f56d33e71660b2375811597
SHA1ae53aaca267354867c447e6f9fa13427e6e3e2aa
SHA2560e9d50aa1c6411e3c6b00b00450faf1bb006e9fdad010a942cad3d9163d2bcdb
SHA512745a7daccce0db2e26cfa02085e133e53c0db64c94bba177c1a8c290e770fffa9829eabadd59f0c31e65385cd0e9b5d8f859e43982ff301316aca7ba3b68c5be
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8A93C3B9-5F22-4A01-BC9D-F58AFD345342}.FSD
Filesize128KB
MD5233ef8dbb2d044d337c4b37bb4eeaf07
SHA13e2f47df8f7096a9ee24df6dba0beb40fa8c032e
SHA2569fdae683801e9d87cf9c143f1f7febe9bd85349f5a463cb8268ffd1e4092d153
SHA5127ceb52015442e9d039f806d18a1134a2ccbbc68f3855957a0f9002ec2abcd142333510c23419301d7d6a45882520c31b6bebee7a21d6656ae9ded9d8bdd43481
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD549fdff8510ae1f892a2f454e38bf3f2d
SHA15d75b116fdbf641d70a778564141c5694c43bf48
SHA256e1efc1ac4b418cb71609f2bb8d1900916545730996d0d3b4a1001abad8e48a66
SHA512773026deb536ba48c2bf42612d3b8a45328a9f3cc1f4cf1a32ad6046496d5c87157baf973607e4ba773e469261ad4817a333de283ac4b31f97afa0d3b51566fd
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{50E76406-5ADC-45DD-9264-C269BFB0444F}.FSD
Filesize128KB
MD5d03472fae64ad0e3dd51d2cb1b3d75d3
SHA1673ef9dbf1c8f4ef1b2df0d7d1747c9e24b9f810
SHA256a8e75b66f615b29996b2c0f13ff4400377212bfa9c04e350c510a0fc19170515
SHA512c10323462bf9de366630345a762f7f1bc6370b245f0c01e91c329db33b688f0dfa8cdd7fc6ad04e0d0bac59bebfb0a828a3896ac431bc2441c93fd1ddb1091d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\microsoftEdgedeletedentirehistorycachefromthepctoclean[1].doc
Filesize58KB
MD5ad19c30e8fc0f89004a1f960b477707f
SHA10bb59500525d0b45c506c7b4fab6c1d905ee3280
SHA256395694b99ce0310e2aa9e6b96f479c36956af254b047c959a022c2b1fef2d6c6
SHA5122914142721a10abcd44ce05ba2c2e385555cd40e158e7a57315c3a2a0d61606f4ea1ace7c7b95cb7665fbfe1ff4ab399d68d431ae49271dff70889e8e7b30bd3
-
Filesize
58KB
MD5ad19c30e8fc0f89004a1f960b477707f
SHA10bb59500525d0b45c506c7b4fab6c1d905ee3280
SHA256395694b99ce0310e2aa9e6b96f479c36956af254b047c959a022c2b1fef2d6c6
SHA5122914142721a10abcd44ce05ba2c2e385555cd40e158e7a57315c3a2a0d61606f4ea1ace7c7b95cb7665fbfe1ff4ab399d68d431ae49271dff70889e8e7b30bd3
-
Filesize
1KB
MD5d643c6bdccc23d6ded6c385c82fd2b91
SHA1b3c006c4de5606ecd8a472c4fefb9b31c8387c6b
SHA25681ae89d643dbfce1ce7a5cbb389b271c2f7be9055f2736f4ecd83cce6f69a266
SHA5125233f9f3c12f98635c880b5b002e94c41039ae61816227c0bacd7b23bb4e8140723edc608bcddd9120635b8c0f0e85b3d614eba41a7ca876047c98f6570304ef
-
Filesize
128KB
MD5ea73cf75d637a294a2b95995942ca506
SHA12aacac865c8fe69b8c78dd42fba57c6a5abfa35f
SHA256a9b4429f84fd77b9bfe0be290608fc93fac3e12ae6dbbf3438714d14737d46dc
SHA512b40ab01083333b089d853ae10956f16fe258d1c8b6b1f2c18c29a757be065dc56f24d0922d421c21474095de2478f1a44739c4fa60139f0cf2ab5b393adb18c9
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4
-
Filesize
641KB
MD59f78a2d7e3d3e313d6a08ae547af7a20
SHA171d7ea0ce9d8da1248d281c3099ce7a2e6da4ac1
SHA2567906ee05067f6ef5bfb9e5ea9ddd16575ca0830d465bc06a3cfedafaf6167192
SHA5123004ec216dc2bf63a8e36f4b26382f36a7529e3a3256b40ab4ac111cbfe093dae9f2359c9b4b2b3d6792dbc44995fce0db85e4568b12fce9a59bee19ac4adfb4