agenttesla | e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96

Analysis

max time kernel
119s
max time network
136s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-12-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
Size

37KB
MD5

6de35c22ca3f026a6a645fc9fda40565
SHA1

252a6d49a0d9096e8c48c11d7c9a934681e55f6a
SHA256

e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96
SHA512

b872b0509756ca5e5dc8ce14eb83b6c5eb354093a62702a70caceb8ed0ce9d1fb854a55a99302d1e329635891174a525c14e8b036cc7bb18afab1589d2b29f28
SSDEEP

768:lJH2e8oUg8OALyuki2cDsNNP+vB2ZmwVbMLAVYAS50zhR:PWe8XtTLLZ2cDsNNP+vB2ZmwVbtVY8zz

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.telefoonreparatiebovenkarspel.nl
Port:
587
Username:
[email protected]
Password:
Madarjan007!

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.telefoonreparatiebovenkarspel.nl
Port:
587
Username:
[email protected]
Password:
Madarjan007!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

14 1956 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wlanext.exewlanext.exe

pid process

2152 wlanext.exe
2800 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1956 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
14	1956	EQNEDT32.EXE

pid	process
2152	wlanext.exe
2800	wlanext.exe

pid	process
1956	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
16 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 2152 set thread context of 2800 2152 wlanext.exe wlanext.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1956 EQNEDT32.EXE

flow	ioc
15	api.ipify.org
16	api.ipify.org

description	pid	process	target process
PID 2152 set thread context of 2800	2152	wlanext.exe	wlanext.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1956	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2124 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wlanext.exewlanext.exe

pid process

2152 wlanext.exe
2152 wlanext.exe
2800 wlanext.exe
2800 wlanext.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wlanext.exewlanext.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 2152 wlanext.exe
Token: SeDebugPrivilege 2800 wlanext.exe
Token: SeShutdownPrivilege 2124 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEwlanext.exe

pid process

2124 WINWORD.EXE
2124 WINWORD.EXE
2800 wlanext.exe

pid	process
2124	WINWORD.EXE

pid	process
2152	wlanext.exe
2152	wlanext.exe
2800	wlanext.exe
2800	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	2152	wlanext.exe
Token: SeDebugPrivilege	2800	wlanext.exe
Token: SeShutdownPrivilege	2124	WINWORD.EXE

pid	process
2124	WINWORD.EXE
2124	WINWORD.EXE
2800	wlanext.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEwlanext.exeWINWORD.EXE

description	pid	process	target process
PID 1956 wrote to memory of 2152	1956	EQNEDT32.EXE	wlanext.exe
PID 1956 wrote to memory of 2152	1956	EQNEDT32.EXE	wlanext.exe
PID 1956 wrote to memory of 2152	1956	EQNEDT32.EXE	wlanext.exe
PID 1956 wrote to memory of 2152	1956	EQNEDT32.EXE	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2152 wrote to memory of 2800	2152	wlanext.exe	wlanext.exe
PID 2124 wrote to memory of 1580	2124	WINWORD.EXE	splwow64.exe
PID 2124 wrote to memory of 1580	2124	WINWORD.EXE	splwow64.exe
PID 2124 wrote to memory of 1580	2124	WINWORD.EXE	splwow64.exe
PID 2124 wrote to memory of 1580	2124	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

outlook_win_path 1 IoCs

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1580

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dca09f66ee5ffb676e3fd558423243f5

SHA1
06fd92e7a05e25da740b06756c8ebec91cd1b5f0

SHA256
e72c9b9609876a842e1027a1d2780c8e8dcd088c5f77c03d0641ec87c6cfced5

SHA512
3a3b5604602527dbd6bb4ab5bf480483c6e917f9959ba2f339b08ded5a0848bec510b44305bd52ef36eec2f6a2412622af281660a62a51e2a7208827ff457b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F7ED4BBB-9EE7-48D9-8430-506B4B1E9158}.FSD

Filesize
128KB

MD5
920af819ae3d1930819750c721c139a2

SHA1
0e390e33bd46c5f03b1ee89dbb1c2f1fae127622

SHA256
7cab3aae57e646237b1f4c428b979d1efe6f38a2837824126bfd6d004dfc0cbd

SHA512
81a52457df272d8c94d4e2b8e70ee3700ea8db73a925db799435bc02af81d5ff14dad76fddd6e32abb762a0a3710edc898f2d68ed11dede0dd8fdbf53d446a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
9ee4641fab6702f0e788d7d0419526c1

SHA1
f0174bbdd21747e09a539256c1197a91d02bfe41

SHA256
6255dde2d2679ade90b9a9269f56dfaa2783ff9dfa3f63df5501daf149ef3515

SHA512
4629388e8cd1ffccb6703026bdef6bb5acd1fac959551b8f19708e68dab2ce9e608b83aa176800d5d4f245796c318b56f0bddc65473ea71e0f90108f46be13c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{18F660AA-9D84-44D6-BC8B-2F84A0F900E5}.FSD

Filesize
128KB

MD5
2e8e964e19fe747ec6480b3e479c2a89

SHA1
86b35769a4f7fc196a12f0bc715f927e283717e9

SHA256
0d78ce6312becb719437a6d779149fc37883617b919ebfd1f53a48d3f4fd800c

SHA512
a676e4928879d918f30541dacc8601bf2a6a75fade632c9eee071e47c8fde6a6483116b5147cbebb91ec46e23b3b52e2b2a8ac8c23f3b61c02af149e3759fd77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJT1WABK\microsoftdeletedentirehistorycachecookieeverythingfromthepc[1].doc

Filesize
59KB

MD5
5643a0a13f4ac19ff29d50cca8230dfc

SHA1
f01021d30a3ac117336b0f399b961001041f5158

SHA256
0203defc53560a73ac1fb658d820808f146f948a07902542b4c6a6cbd514692a

SHA512
12eeb64f0b2167b338a8e21ffb1e2f8fe35b3751bdfad9aa693b7a85fa4b81bba2775d93ae0a6d55707dd7fa6ade84709b5eed8214ab0d3e4e811ebec3b841e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49EB0AB.emf

Filesize
7KB

MD5
7e996b534a3324631882ffd86897ce3c

SHA1
6f74be38140b3e5c4d3ff32e1a02baa4d393a2aa

SHA256
e1a781642c3618141f217d23ab95d00fa9a1b59090b78414f92be441c533a40f

SHA512
a89a8ecbc4414e809dd6cdaf0567a3bbaddb73db1a103d48ab816cd743d116e627f051376c586462b6948caaf694c30d1b62d65a771a17b631516c599474e45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab195A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AF7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56D6E739-7A58-41DF-9D4E-79D810A5DB00}

Filesize
128KB

MD5
00a196d97aefd1191b894e808e8aa53d

SHA1
f54d8cad6c3432a19bc644bcd130e1d108b0a7a2

SHA256
99968da4397fc86e607b426a56195877ada2aaafac0b56acc2b58c6c227d2653

SHA512
788ed84e6859892a0d5707dc61b9573cd3695343b3a1030b955b980e443b8cf00463cdc31d48727a1e85fdc6c573a2db13c4eb80826587dbf7e6710b12eef005

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
7bba6d22f63aeaaf1837520cada6cf01

SHA1
5fb286ee73d6f7faac4442e032b6beba42d4eee4

SHA256
4ec43d0fa695f83c5300136dcaa0dfa36825aa3f1ea2f7a0eb78f9fc1ab93019

SHA512
d76d24b2d6278c275f6b1dfa4e31c3f1a3e689339cf89d4aa8e71c10116cca59de9ddd58bae195d36fa6ab7c0b4ee5740790d077bcc6c8279473ff052adfae36

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
842KB

MD5
f918266716676393150c923659f80e79

SHA1
24083ba3b3ef71e4e4999c19bfcdd79046db54dd

SHA256
b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959

SHA512
72ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
842KB

MD5
f918266716676393150c923659f80e79

SHA1
24083ba3b3ef71e4e4999c19bfcdd79046db54dd

SHA256
b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959

SHA512
72ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
842KB

MD5
f918266716676393150c923659f80e79

SHA1
24083ba3b3ef71e4e4999c19bfcdd79046db54dd

SHA256
b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959

SHA512
72ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
842KB

MD5
f918266716676393150c923659f80e79

SHA1
24083ba3b3ef71e4e4999c19bfcdd79046db54dd

SHA256
b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959

SHA512
72ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
842KB

MD5
f918266716676393150c923659f80e79

SHA1
24083ba3b3ef71e4e4999c19bfcdd79046db54dd

SHA256
b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959

SHA512
72ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477

Download Submit
memory/2124-224-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/2124-221-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2124-137-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/2124-2-0x000000007131D000-0x0000000071328000-memory.dmp

Filesize
44KB

Download
memory/2124-0-0x000000002F151000-0x000000002F152000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2152-140-0x0000000004EF0000-0x0000000004F6E000-memory.dmp

Filesize
504KB

Download
memory/2152-154-0x000000006AA30000-0x000000006B11E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-117-0x0000000000AE0000-0x0000000000BB8000-memory.dmp

Filesize
864KB

Download
memory/2152-118-0x000000006AA30000-0x000000006B11E000-memory.dmp

Filesize
6.9MB

Download
memory/2152-121-0x0000000000660000-0x00000000006A0000-memory.dmp

Filesize
256KB

Download
memory/2152-123-0x0000000000A20000-0x0000000000A38000-memory.dmp

Filesize
96KB

Download
memory/2152-138-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2152-139-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2800-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-155-0x000000006AA30000-0x000000006B11E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-156-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2800-141-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-196-0x000000006AA30000-0x000000006B11E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-197-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2800-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download