Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
03-12-2023 01:46
Static task
static1
Behavioral task
behavioral1
Sample
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf
Resource
win10v2004-20231130-en
General
-
Target
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf
-
Size
58KB
-
MD5
6ee6e6e58e88fbb222f7b1c8e37973d7
-
SHA1
fad289b5872a39a24d151ba59102c8d7c2e73e35
-
SHA256
f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf
-
SHA512
439dd171e5fcb4d30928b2fa19f17f709ca5056ae097a03decd7b9df6da5726eaf3b93499958660cecf75eef0d25d575216e5b6009f3ff68756c949ff272abc8
-
SSDEEP
1536:zU3fjdJnp5MMS+IX/tlKcEVM0l+Sdym9NEPTpKzEjs3jHBE:XtlKc2fl+SdBHErpKzEjs3LO
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2516 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
wlanext.exedoubbdi.exedoubbdi.exedoubbdi.exepid process 2660 wlanext.exe 2444 doubbdi.exe 1548 doubbdi.exe 2704 doubbdi.exe -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEwlanext.exedoubbdi.exepid process 2516 EQNEDT32.EXE 2660 wlanext.exe 2660 wlanext.exe 2444 doubbdi.exe 2444 doubbdi.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
doubbdi.exedescription pid process target process PID 2444 set thread context of 2704 2444 doubbdi.exe doubbdi.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 \Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 \Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\wlanext.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2124 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
doubbdi.exepid process 2704 doubbdi.exe 2704 doubbdi.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
doubbdi.exepid process 2444 doubbdi.exe 2444 doubbdi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
doubbdi.exedescription pid process Token: SeDebugPrivilege 2704 doubbdi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2124 WINWORD.EXE 2124 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEwlanext.exedoubbdi.exeWINWORD.EXEdescription pid process target process PID 2516 wrote to memory of 2660 2516 EQNEDT32.EXE wlanext.exe PID 2516 wrote to memory of 2660 2516 EQNEDT32.EXE wlanext.exe PID 2516 wrote to memory of 2660 2516 EQNEDT32.EXE wlanext.exe PID 2516 wrote to memory of 2660 2516 EQNEDT32.EXE wlanext.exe PID 2660 wrote to memory of 2444 2660 wlanext.exe doubbdi.exe PID 2660 wrote to memory of 2444 2660 wlanext.exe doubbdi.exe PID 2660 wrote to memory of 2444 2660 wlanext.exe doubbdi.exe PID 2660 wrote to memory of 2444 2660 wlanext.exe doubbdi.exe PID 2444 wrote to memory of 1548 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 1548 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 1548 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 1548 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 2704 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 2704 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 2704 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 2704 2444 doubbdi.exe doubbdi.exe PID 2444 wrote to memory of 2704 2444 doubbdi.exe doubbdi.exe PID 2124 wrote to memory of 2008 2124 WINWORD.EXE splwow64.exe PID 2124 wrote to memory of 2008 2124 WINWORD.EXE splwow64.exe PID 2124 wrote to memory of 2008 2124 WINWORD.EXE splwow64.exe PID 2124 wrote to memory of 2008 2124 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe -
outlook_win_path 1 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f7925b0edcb383f181bbb45b29acaad0b837f0ea742a755e47aed688bcd170cf.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2008
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"4⤵
- Executes dropped EXE
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
334KB
MD5043bdf6ecd9749b3947423bc584f7af9
SHA17705ddeb913cb220c29a79859d6a76d64f3f7c46
SHA256e53e05f266ca0f1e7e5f7c5fc91df1c9801cc708be3ae080f994aef1c2ef011c
SHA5123e47886d7704bdcaa50e1484650e9ec01bc9c86ce3ee3d58bb74d09326e3d94ab83fe90009c75a4acdaa0a1fa7cd5e377f8f059040ef019737218b3f14fce065
-
Filesize
20KB
MD5bc8c9ce4db79c21fba59da16242545bb
SHA185f928609c794659f65c7ccc224472f75ef2a652
SHA256bf932146a239ab5d268a03089966905c4cf6d4c02e22f2bc194ae27961da86bb
SHA5129dd8d6611fe34f976203e07f2ceedf6932911117ba9ac81a48d21b6063563943c3002d28a1f799db71e3eb52ca2e60edf6776cea6c61cdd7502e31411d2dde57
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
405KB
MD58bfd7886121330aca3002b5b1e768740
SHA11dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
SHA25603b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
SHA51248354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1