Analysis
-
max time kernel
134s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 14:03
Static task
static1
Behavioral task
behavioral1
Sample
TT Copy.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
TT Copy.xls
Resource
win10-20231020-en
Behavioral task
behavioral3
Sample
TT Copy.xls
Resource
win10v2004-20231127-en
General
-
Target
TT Copy.xls
-
Size
381KB
-
MD5
26beb641321ce859d389a80ccd1416d9
-
SHA1
8a47f46ab9f3ed5fd132cd8f30ece15e6c47cf21
-
SHA256
3c756278503cd67e4ca18fa2acbba31c308153b5801f24b222a42b4b3331c780
-
SHA512
02c1f0b615d33f941d6a8a227fb9845bedbd01eee4a587368b95fb83bcf0ff16b4f9738aa7caaf65a9c7373bb9711e4f504bfc50a7dabf97b54fe1cf26239f5b
-
SSDEEP
6144:hn1m9kdb41yFtrP+9LFRLLckUXWnNFFtx/4pvbS3SF18XpzeHfOSWZJOOeRs5mOG:hOecoFt+LFRSWznxwdQBpKHfIeRKmOr6
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.experthvac.ro - Port:
21 - Username:
[email protected] - Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 848 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
Processes:
wlanext.exepid process 2172 wlanext.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 848 EQNEDT32.EXE 848 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wlanext.exedescription pid process target process PID 2172 set thread context of 1892 2172 wlanext.exe RegAsm.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 884 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wlanext.exepid process 2172 wlanext.exe 2172 wlanext.exe 2172 wlanext.exe 2172 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wlanext.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2172 wlanext.exe Token: SeDebugPrivilege 1892 RegAsm.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 884 EXCEL.EXE 884 EXCEL.EXE 884 EXCEL.EXE 2596 WINWORD.EXE 2596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwlanext.exedescription pid process target process PID 848 wrote to memory of 2172 848 EQNEDT32.EXE wlanext.exe PID 848 wrote to memory of 2172 848 EQNEDT32.EXE wlanext.exe PID 848 wrote to memory of 2172 848 EQNEDT32.EXE wlanext.exe PID 848 wrote to memory of 2172 848 EQNEDT32.EXE wlanext.exe PID 2596 wrote to memory of 1104 2596 WINWORD.EXE splwow64.exe PID 2596 wrote to memory of 1104 2596 WINWORD.EXE splwow64.exe PID 2596 wrote to memory of 1104 2596 WINWORD.EXE splwow64.exe PID 2596 wrote to memory of 1104 2596 WINWORD.EXE splwow64.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 2944 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe PID 2172 wrote to memory of 1892 2172 wlanext.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TT Copy.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:884
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1104
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2944
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B54BE748-A883-4DF2-BCE1-730FD3B91D42}.FSD
Filesize128KB
MD5cb955b0b514ab2594f98592e049d2fee
SHA1b34b6ef9fd915c9f807522ab6a2d57af3b33530a
SHA25642629d35eb4ea8d1bbfc1973bc14901ce914372ea20c86e140e132ae7bff13b7
SHA5122a8a45d1ac2b618cfeaa50b376d7e9a5c6b71ea73d52696e1f7ed25849f64a3a018e78f287c1e73f76681250784ece618b41bb447c44377cd27cf4fee1655bf6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5f7990480f1c50cd05c681e459b863d0c
SHA157f6861c7ed615bcc484bcbf1e52d2f3ddb09908
SHA256077de50cf14cef9805cfc2ac18b310035493eb5f3c87f3a68da9615d16a4b828
SHA5120fc3e8e3a947bf3d11701c4bd5ddbe4a0256391dd2e8df0e253c97b350b654e1c0170a425bfa0fd23b8e90be2b3c248af8806845d0e7c603c0c57dca8baf20b0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7CCCB1EB-3B86-43B9-988C-5BB723F2E6D8}.FSD
Filesize128KB
MD50d1cb99aff4c0e706712abc92b20a9d1
SHA13b13cb8e8cac0c7a9eeaf134f57a464303a7301f
SHA256a1b419cb9bb73793b3574d099e0a9dd032945156551bf9d190fb42d01b6be3d8
SHA512ed3ac5fe7224ff7c4a9a6cc99525ec13daee3c04f7f9fe8fb20014e14b12bacb0f656bd6531e369c51ded557e33c69951e86317ce5bad493a117106dd3c4a870
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOB1G6ZJ\microsoftEdgedeletedentirehistorycachehistoryfromthepc[1].doc
Filesize61KB
MD59e0226adf02222bbee9aa7e2f6f1c07a
SHA164e031bda28509528f26a64ac5d7935cf5afe426
SHA256632f7e212cc149d81b322def328534953b979d1f1885140e2645e4ac41d0f56c
SHA512687e89fd04f39817432dec1f43754f18f77bda0f96e6fff1a24e00df3fdd0ab6831f39fb1c90240ce128c2dad34c5e43a7f7efcfb34052b02c634a0204595c90
-
Filesize
61KB
MD59e0226adf02222bbee9aa7e2f6f1c07a
SHA164e031bda28509528f26a64ac5d7935cf5afe426
SHA256632f7e212cc149d81b322def328534953b979d1f1885140e2645e4ac41d0f56c
SHA512687e89fd04f39817432dec1f43754f18f77bda0f96e6fff1a24e00df3fdd0ab6831f39fb1c90240ce128c2dad34c5e43a7f7efcfb34052b02c634a0204595c90
-
Filesize
128KB
MD562c77e80fc1d21719051cfc26e6d0c94
SHA16b26536e34a18d20c059bf5f88fba0b96b72ddb2
SHA25680cf544ae74a18d7a4131f0c98e7eb207c3600ac1d1813da5aed1aa861477944
SHA51232f36fa928df0373b04896c3f175f53c4dcc7fbab4bcfec5bb4535ce88e1d3bf1a895f43720eef3fccb54b7028e91a03e10499951afd8055af289a4838813c27
-
Filesize
823KB
MD53713c253ab56bf85aaa806fc41cc6905
SHA1cf59aac87590bb5f3bba092f20455b097a1ffab5
SHA256ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17
SHA512ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87
-
Filesize
823KB
MD53713c253ab56bf85aaa806fc41cc6905
SHA1cf59aac87590bb5f3bba092f20455b097a1ffab5
SHA256ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17
SHA512ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87
-
Filesize
823KB
MD53713c253ab56bf85aaa806fc41cc6905
SHA1cf59aac87590bb5f3bba092f20455b097a1ffab5
SHA256ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17
SHA512ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87
-
Filesize
823KB
MD53713c253ab56bf85aaa806fc41cc6905
SHA1cf59aac87590bb5f3bba092f20455b097a1ffab5
SHA256ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17
SHA512ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87
-
Filesize
823KB
MD53713c253ab56bf85aaa806fc41cc6905
SHA1cf59aac87590bb5f3bba092f20455b097a1ffab5
SHA256ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17
SHA512ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87