Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 01:33
Static task
static1
Behavioral task
behavioral1
Sample
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
Resource
win10v2004-20231127-en
General
-
Target
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls
-
Size
391KB
-
MD5
c198b379975c143eefceef1d79a20e17
-
SHA1
779ec72a2e929c5ba0f1b6db8922453c76177e38
-
SHA256
14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50
-
SHA512
20224151e72415d17e47507a417fb8898d9b5e70a6749ce7e5fbe72e3f6b5cea6caee0eb1125ad327c8028fea7cf8722306171c376c53ca4bdd23f6fbab14ef8
-
SSDEEP
6144:Fn1m9kdbzPpeZl8b++UXKefrBCPP9UeybHvwsJxHMMj2GGuNla20kUVLR/:FOevhS5KSoPmeyTIsJxHlbCV
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 11 1484 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 3 IoCs
Processes:
wlanext.exedoubbdi.exedoubbdi.exepid process 2176 wlanext.exe 2824 doubbdi.exe 2904 doubbdi.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEwlanext.exedoubbdi.exepid process 1484 EQNEDT32.EXE 2176 wlanext.exe 2176 wlanext.exe 2824 doubbdi.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
doubbdi.exedescription pid process target process PID 2824 set thread context of 2904 2824 doubbdi.exe doubbdi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 \Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 \Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3040 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
doubbdi.exepid process 2904 doubbdi.exe 2904 doubbdi.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
doubbdi.exepid process 2824 doubbdi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
doubbdi.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2904 doubbdi.exe Token: SeShutdownPrivilege 2164 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 3040 EXCEL.EXE 3040 EXCEL.EXE 3040 EXCEL.EXE 2164 WINWORD.EXE 2164 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEwlanext.exedoubbdi.exeWINWORD.EXEdescription pid process target process PID 1484 wrote to memory of 2176 1484 EQNEDT32.EXE wlanext.exe PID 1484 wrote to memory of 2176 1484 EQNEDT32.EXE wlanext.exe PID 1484 wrote to memory of 2176 1484 EQNEDT32.EXE wlanext.exe PID 1484 wrote to memory of 2176 1484 EQNEDT32.EXE wlanext.exe PID 2176 wrote to memory of 2824 2176 wlanext.exe doubbdi.exe PID 2176 wrote to memory of 2824 2176 wlanext.exe doubbdi.exe PID 2176 wrote to memory of 2824 2176 wlanext.exe doubbdi.exe PID 2176 wrote to memory of 2824 2176 wlanext.exe doubbdi.exe PID 2824 wrote to memory of 2904 2824 doubbdi.exe doubbdi.exe PID 2824 wrote to memory of 2904 2824 doubbdi.exe doubbdi.exe PID 2824 wrote to memory of 2904 2824 doubbdi.exe doubbdi.exe PID 2824 wrote to memory of 2904 2824 doubbdi.exe doubbdi.exe PID 2824 wrote to memory of 2904 2824 doubbdi.exe doubbdi.exe PID 2164 wrote to memory of 2820 2164 WINWORD.EXE splwow64.exe PID 2164 wrote to memory of 2820 2164 WINWORD.EXE splwow64.exe PID 2164 wrote to memory of 2820 2164 WINWORD.EXE splwow64.exe PID 2164 wrote to memory of 2820 2164 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe -
outlook_win_path 1 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\14b2a0a27bc9c98e606495cf2d612db931d125983262b780e30d6f48e4d59b50.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3040
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2820
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5d9210ca7c452aa1afc5e432ff0d71ca9
SHA1c348fb1ebe257ca25ee6a17e5547ebf9e31a2dc9
SHA256664bfcf714a46c5d0666e257db5e6e92fb4a909f09abc903e35524d25dc58356
SHA512a567930606327302f46437e9ee259b78142526a6de42116f89724da54fa28d75a7ed7a3f025280924cf4874b9e65e1f28f3c29557c64b90ab94b967e203ffa62
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{31B64F86-DFA6-4260-84B9-F7512DCEB337}.FSD
Filesize128KB
MD58522fce263bd367808387f8ca7d1236f
SHA1a08f98d3d7c2868a858a9c312e2d277650e23aab
SHA256cd4236f9f794964d4b9071a8821f7d8081a946ac60b4676c60b0a0eff6932883
SHA51252913a2d7b648435545ef0b1ecb7550dcf80fac13ae70e50326933fddea6d80d9f1e23fc5f741629f890c2e421fe987ed2a19ff34deb3b9a3db117d04cdc75c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WGHIKMU\Microsoftdeletedentirehistoryfromthepcalsocookiecachetoo[1].doc
Filesize58KB
MD56ee6e6e58e88fbb222f7b1c8e37973d7
SHA1fad289b5872a39a24d151ba59102c8d7c2e73e35
SHA256f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf
SHA512439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8
-
Filesize
58KB
MD56ee6e6e58e88fbb222f7b1c8e37973d7
SHA1fad289b5872a39a24d151ba59102c8d7c2e73e35
SHA256f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf
SHA512439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
334KB
MD5043bdf6ecd9749b3947423bc584f7af9
SHA17705ddeb913cb220c29a79859d6a76d64f3f7c46
SHA256e53e05f266ca0f1e7e5f7c5fc91df1c9801cc708be3ae080f994aef1c2ef011c
SHA5123e47886d7704bdcaa50e1484650e9ec01bc9c86ce3ee3d58bb74d09326e3d94ab83fe90009c75a4acdaa0a1fa7cd5e377f8f059040ef019737218b3f14fce065
-
Filesize
128KB
MD5c30207f57de691a61a29216eddec5fd5
SHA1e9e896ff4baedf6368a78983eb9b2fb917377418
SHA256f1263540bb87248c6cc954545e959c5ccae05c1fa90a95e2dc9d031d180980e1
SHA5124c16613346863847a5274f6afc43dbe6611c08a8683a065090eb183209a1b8693c83b68cf8db28c5dde3ae7e9a5be5f22a6a759e0863bc9978bdca1ad72d52ea
-
Filesize
20KB
MD5dcedcbc482aefac2b71754e16ad50a38
SHA11e1e7de34e957ae2fec456ddbb5784c0db9ad86c
SHA256729f23abd1989ef9c9d13c77d01d50a68e1d5a8ad502ef075e9db7f89e82f829
SHA5120d534de174dae124d8865d88f1764cc843646dc289bc04afd35f18013de9c3c84d33ac3625de6f9fd2b92d0365fe9dee5d673840d582c795700651c626682e35
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1