agenttesla | 7712b3d4b61189ccbafdbcc285b7a761d517bb68295626e30c33c24c38fb95cd

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
04-12-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Package.xls
Size

391KB
MD5

3e33c8cf5b3ce2fa86f1b0ab22d2d3c2
SHA1

de4c28fc5c4eab8c71b09830ff295b901be6a844
SHA256

7712b3d4b61189ccbafdbcc285b7a761d517bb68295626e30c33c24c38fb95cd
SHA512

0ef6016a7e6d0a45d9358ee21ddacea1b0aa393f276dadc32f3218c89f41fbea9ac765b5127c60cc8c069eb26ee52ffb740d0a7eb2af6ccf20a68e7740852354
SSDEEP

6144:ln1m9kdbQS6vsB3qfLWnNnBkbE9UX3yhnpC3quvmb6SrnV3LYpMMAI:lOeuvsB351Bkr3yh9b9hr

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.experthvac.ro
Port:
21
Username:
[email protected]
Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 752 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

wlanext.exe

pid process

1684 wlanext.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

752 EQNEDT32.EXE
752 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
9	752	EQNEDT32.EXE

pid	process
1684	wlanext.exe

pid	process
752	EQNEDT32.EXE
752	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 1684 set thread context of 656 1684 wlanext.exe RegAsm.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

752 EQNEDT32.EXE

description	pid	process	target process
PID 1684 set thread context of 656	1684	wlanext.exe	RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
752	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

800 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

wlanext.exe

pid process

1684 wlanext.exe
1684 wlanext.exe
1684 wlanext.exe
1684 wlanext.exe
1684 wlanext.exe
1684 wlanext.exe
1684 wlanext.exe
1684 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wlanext.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1684 wlanext.exe
Token: SeDebugPrivilege 656 RegAsm.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

800 EXCEL.EXE
800 EXCEL.EXE
800 EXCEL.EXE
2620 WINWORD.EXE
2620 WINWORD.EXE

pid	process
800	EXCEL.EXE

pid	process
1684	wlanext.exe
1684	wlanext.exe
1684	wlanext.exe
1684	wlanext.exe
1684	wlanext.exe
1684	wlanext.exe
1684	wlanext.exe
1684	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1684	wlanext.exe
Token: SeDebugPrivilege	656	RegAsm.exe

pid	process
800	EXCEL.EXE
800	EXCEL.EXE
800	EXCEL.EXE
2620	WINWORD.EXE
2620	WINWORD.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 752 wrote to memory of 1684	752	EQNEDT32.EXE	wlanext.exe
PID 752 wrote to memory of 1684	752	EQNEDT32.EXE	wlanext.exe
PID 752 wrote to memory of 1684	752	EQNEDT32.EXE	wlanext.exe
PID 752 wrote to memory of 1684	752	EQNEDT32.EXE	wlanext.exe
PID 2620 wrote to memory of 1464	2620	WINWORD.EXE	splwow64.exe
PID 2620 wrote to memory of 1464	2620	WINWORD.EXE	splwow64.exe
PID 2620 wrote to memory of 1464	2620	WINWORD.EXE	splwow64.exe
PID 2620 wrote to memory of 1464	2620	WINWORD.EXE	splwow64.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1852	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 1688	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 820	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe
PID 1684 wrote to memory of 656	1684	wlanext.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Package.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:800

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1464

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A13AF4E2-C234-4CDE-A771-F194044D4E6D}.FSD

Filesize
128KB

MD5
30c34c17370f3a8ece16722fc3db963b

SHA1
edc3521a8b7cdab2921252078da701f266a602ee

SHA256
7a8408dcfe5ec33e8c3258de1a8c77b1ec434142761e9f473f237d0d0f52d1fb

SHA512
9233bee78e924060610c8b9583988ade1f6e0cbc31d1ff9af4855d675749ad69a3f35fec6c0be7bc72f56d64bc2e64344e7089cf0c2c4af9d53cf75154ec91e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
1f61d8d968bfe33ff4663c63f618c8da

SHA1
f8148e5c384d928fd2437aded3c896a4dfc95ea9

SHA256
37f4a5d5ecd82e42f6a1219a6a00ff7275884f387d062d6f86ef4f8f509e808e

SHA512
a9d1bb189c1060febca0d7d295b8485582f7b8dbe32fffaa7d14327371d366856d6d2a9f451c4119b598c4463dc4f2ba8ce38eea875c5033eaf0fbd031cd5afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
b5df8ad8bd0ab45e26ef075a9ebfbbe0

SHA1
a57806bf9a232273699f2bbc603e2d54a85aacef

SHA256
74d9d8878a92e73b4fa0b679d532ab2a12bc00f1153dc8b551444a1f645c1f4b

SHA512
b4cb0d764769d0a4496159e6a3fff4bc777ff7f669d1faf84f5685044354f4c8c54835a69444e6c2d248f635e92418636197ad274a5f6b8abde64bbc41c499f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E4AF3966-6145-40C7-A494-34AB10782103}.FSD

Filesize
128KB

MD5
70257f2fae32d8d6d93e25e13e359682

SHA1
e2333585df5290e4077bfe5487aec430859d8a4e

SHA256
e78ff12b32c7469ec5e5a9a4315789a658d099f7072f4441acb95ac6a439d6c5

SHA512
331c0ca5eb23608ec4f7de1e64767dbb345698ed490fc117e538a12474d9d5cc4c55ce0c72dbb2b2fa059f46f3d206d3933bd23190f8d502de31615e65f965a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\microsofttoldemetheywanttodeletehistorycatchcookiefrommypc[1].doc

Filesize
48KB

MD5
08568b90661f80313579e0c16c2737f0

SHA1
859aa8a945a3585bf777ef29bbfeaeba8bc22526

SHA256
0bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b

SHA512
f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A5886B34.doc

Filesize
48KB

MD5
08568b90661f80313579e0c16c2737f0

SHA1
859aa8a945a3585bf777ef29bbfeaeba8bc22526

SHA256
0bad6a3f47fd9b9063f5c71609e68bd2de6f9d6e4cf1a183351ee8f2f7ebf32b

SHA512
f46cf40ef8199cfe58ebd0bc63a09aa70c4c6d6bda1a55bd0d3ef63e26ea3580c63d963d8d4c9af28981ce369edd62a88779dad1bd0f4192115e6f534cb625d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AAB98E85-F17E-49F6-8AC0-7F1DF29FB8F1}

Filesize
128KB

MD5
6f52e140b36c8e30694ed4e6f5c5f65f

SHA1
31189d90ee59ccdf1b592feffbb052651f584f27

SHA256
6dd468526f1c9909b8ee98ddb0027ea25f63ae0b190b2a44e60275bcf8a7cb72

SHA512
66cca0c9894734251b8c74028e726d04b913fa2b08f68f6680eacf54da2f3dac1e54e39eca4fde646a70b0cf7ef3f137c405c37ac8229646f53453a1b3b42a2b

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
823KB

MD5
3713c253ab56bf85aaa806fc41cc6905

SHA1
cf59aac87590bb5f3bba092f20455b097a1ffab5

SHA256
ae52ee94e65fb54e279703124ab5ee6191f655f61c5302c49e4cd862cfd1dc17

SHA512
ca02a48ec0ff561e50817d661830cd4c4cf39fdc9e458a8fc93170d0fbafc6d1c5f6903a888b95c313e639c74e1e2c2369486873a14fcfbafaa58c7313230f87

Download Submit
memory/656-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/656-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/656-146-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/800-8-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/800-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/800-1-0x0000000072A7D000-0x0000000072A88000-memory.dmp

Filesize
44KB

Download
memory/800-103-0x0000000072A7D000-0x0000000072A88000-memory.dmp

Filesize
44KB

Download
memory/820-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1684-101-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1684-143-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1684-100-0x000000006A930000-0x000000006B01E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-147-0x000000006A930000-0x000000006B01E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-106-0x000000006A930000-0x000000006B01E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-107-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1684-108-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/1684-109-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download
memory/1684-110-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1684-102-0x0000000000A80000-0x0000000000AC4000-memory.dmp

Filesize
272KB

Download
memory/1684-99-0x0000000000FC0000-0x0000000001094000-memory.dmp

Filesize
848KB

Download
memory/1688-127-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1852-115-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1852-117-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1852-119-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1852-113-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/1852-111-0x00000000000D0000-0x0000000000100000-memory.dmp

Filesize
192KB

Download
memory/2620-7-0x0000000003670000-0x0000000003672000-memory.dmp

Filesize
8KB

Download
memory/2620-5-0x0000000072A7D000-0x0000000072A88000-memory.dmp

Filesize
44KB

Download
memory/2620-3-0x000000002F261000-0x000000002F262000-memory.dmp

Filesize
4KB

Download
memory/2620-105-0x0000000072A7D000-0x0000000072A88000-memory.dmp

Filesize
44KB

Download