Analysis
-
max time kernel
119s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 01:02
Static task
static1
Behavioral task
behavioral1
Sample
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
Resource
win10v2004-20231130-en
General
-
Target
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx
-
Size
37KB
-
MD5
6de35c22ca3f026a6a645fc9fda40565
-
SHA1
252a6d49a0d9096e8c48c11d7c9a934681e55f6a
-
SHA256
e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96
-
SHA512
b872b0509756ca5e5dc8ce14eb83b6c5eb354093a62702a70caceb8ed0ce9d1fb854a55a99302d1e329635891174a525c14e8b036cc7bb18afab1589d2b29f28
-
SSDEEP
768:lJH2e8oUg8OALyuki2cDsNNP+vB2ZmwVbMLAVYAS50zhR:PWe8XtTLLZ2cDsNNP+vB2ZmwVbtVY8zz
Malware Config
Extracted
Protocol: smtp- Host:
mail.telefoonreparatiebovenkarspel.nl - Port:
587 - Username:
[email protected] - Password:
Madarjan007!
Extracted
agenttesla
Protocol: smtp- Host:
mail.telefoonreparatiebovenkarspel.nl - Port:
587 - Username:
[email protected] - Password:
Madarjan007! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 14 1956 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
wlanext.exewlanext.exepid process 2152 wlanext.exe 2800 wlanext.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1956 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wlanext.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wlanext.exedescription pid process target process PID 2152 set thread context of 2800 2152 wlanext.exe wlanext.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2124 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
wlanext.exewlanext.exepid process 2152 wlanext.exe 2152 wlanext.exe 2800 wlanext.exe 2800 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wlanext.exewlanext.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2152 wlanext.exe Token: SeDebugPrivilege 2800 wlanext.exe Token: SeShutdownPrivilege 2124 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEwlanext.exepid process 2124 WINWORD.EXE 2124 WINWORD.EXE 2800 wlanext.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEwlanext.exeWINWORD.EXEdescription pid process target process PID 1956 wrote to memory of 2152 1956 EQNEDT32.EXE wlanext.exe PID 1956 wrote to memory of 2152 1956 EQNEDT32.EXE wlanext.exe PID 1956 wrote to memory of 2152 1956 EQNEDT32.EXE wlanext.exe PID 1956 wrote to memory of 2152 1956 EQNEDT32.EXE wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2152 wrote to memory of 2800 2152 wlanext.exe wlanext.exe PID 2124 wrote to memory of 1580 2124 WINWORD.EXE splwow64.exe PID 2124 wrote to memory of 1580 2124 WINWORD.EXE splwow64.exe PID 2124 wrote to memory of 1580 2124 WINWORD.EXE splwow64.exe PID 2124 wrote to memory of 1580 2124 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
wlanext.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe -
outlook_win_path 1 IoCs
Processes:
wlanext.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e9d8f145cf7e0745a6eb448fe68cb774fb5549440218fae3be937600b7b1bc96.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1580
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dca09f66ee5ffb676e3fd558423243f5
SHA106fd92e7a05e25da740b06756c8ebec91cd1b5f0
SHA256e72c9b9609876a842e1027a1d2780c8e8dcd088c5f77c03d0641ec87c6cfced5
SHA5123a3b5604602527dbd6bb4ab5bf480483c6e917f9959ba2f339b08ded5a0848bec510b44305bd52ef36eec2f6a2412622af281660a62a51e2a7208827ff457b3e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F7ED4BBB-9EE7-48D9-8430-506B4B1E9158}.FSD
Filesize128KB
MD5920af819ae3d1930819750c721c139a2
SHA10e390e33bd46c5f03b1ee89dbb1c2f1fae127622
SHA2567cab3aae57e646237b1f4c428b979d1efe6f38a2837824126bfd6d004dfc0cbd
SHA51281a52457df272d8c94d4e2b8e70ee3700ea8db73a925db799435bc02af81d5ff14dad76fddd6e32abb762a0a3710edc898f2d68ed11dede0dd8fdbf53d446a98
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD59ee4641fab6702f0e788d7d0419526c1
SHA1f0174bbdd21747e09a539256c1197a91d02bfe41
SHA2566255dde2d2679ade90b9a9269f56dfaa2783ff9dfa3f63df5501daf149ef3515
SHA5124629388e8cd1ffccb6703026bdef6bb5acd1fac959551b8f19708e68dab2ce9e608b83aa176800d5d4f245796c318b56f0bddc65473ea71e0f90108f46be13c2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{18F660AA-9D84-44D6-BC8B-2F84A0F900E5}.FSD
Filesize128KB
MD52e8e964e19fe747ec6480b3e479c2a89
SHA186b35769a4f7fc196a12f0bc715f927e283717e9
SHA2560d78ce6312becb719437a6d779149fc37883617b919ebfd1f53a48d3f4fd800c
SHA512a676e4928879d918f30541dacc8601bf2a6a75fade632c9eee071e47c8fde6a6483116b5147cbebb91ec46e23b3b52e2b2a8ac8c23f3b61c02af149e3759fd77
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJT1WABK\microsoftdeletedentirehistorycachecookieeverythingfromthepc[1].doc
Filesize59KB
MD55643a0a13f4ac19ff29d50cca8230dfc
SHA1f01021d30a3ac117336b0f399b961001041f5158
SHA2560203defc53560a73ac1fb658d820808f146f948a07902542b4c6a6cbd514692a
SHA51212eeb64f0b2167b338a8e21ffb1e2f8fe35b3751bdfad9aa693b7a85fa4b81bba2775d93ae0a6d55707dd7fa6ade84709b5eed8214ab0d3e4e811ebec3b841e6
-
Filesize
7KB
MD57e996b534a3324631882ffd86897ce3c
SHA16f74be38140b3e5c4d3ff32e1a02baa4d393a2aa
SHA256e1a781642c3618141f217d23ab95d00fa9a1b59090b78414f92be441c533a40f
SHA512a89a8ecbc4414e809dd6cdaf0567a3bbaddb73db1a103d48ab816cd743d116e627f051376c586462b6948caaf694c30d1b62d65a771a17b631516c599474e45e
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
128KB
MD500a196d97aefd1191b894e808e8aa53d
SHA1f54d8cad6c3432a19bc644bcd130e1d108b0a7a2
SHA25699968da4397fc86e607b426a56195877ada2aaafac0b56acc2b58c6c227d2653
SHA512788ed84e6859892a0d5707dc61b9573cd3695343b3a1030b955b980e443b8cf00463cdc31d48727a1e85fdc6c573a2db13c4eb80826587dbf7e6710b12eef005
-
Filesize
20KB
MD57bba6d22f63aeaaf1837520cada6cf01
SHA15fb286ee73d6f7faac4442e032b6beba42d4eee4
SHA2564ec43d0fa695f83c5300136dcaa0dfa36825aa3f1ea2f7a0eb78f9fc1ab93019
SHA512d76d24b2d6278c275f6b1dfa4e31c3f1a3e689339cf89d4aa8e71c10116cca59de9ddd58bae195d36fa6ab7c0b4ee5740790d077bcc6c8279473ff052adfae36
-
Filesize
842KB
MD5f918266716676393150c923659f80e79
SHA124083ba3b3ef71e4e4999c19bfcdd79046db54dd
SHA256b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959
SHA51272ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477
-
Filesize
842KB
MD5f918266716676393150c923659f80e79
SHA124083ba3b3ef71e4e4999c19bfcdd79046db54dd
SHA256b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959
SHA51272ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477
-
Filesize
842KB
MD5f918266716676393150c923659f80e79
SHA124083ba3b3ef71e4e4999c19bfcdd79046db54dd
SHA256b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959
SHA51272ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477
-
Filesize
842KB
MD5f918266716676393150c923659f80e79
SHA124083ba3b3ef71e4e4999c19bfcdd79046db54dd
SHA256b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959
SHA51272ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477
-
Filesize
842KB
MD5f918266716676393150c923659f80e79
SHA124083ba3b3ef71e4e4999c19bfcdd79046db54dd
SHA256b4505984575d9ea01e84c1d68b9a4bf2320af90570d05e4e73cbe3778a02e959
SHA51272ea1edef4480c046800d69deab32b1a40b3443dd4dd0a5c1ab00e971eb1dcbc34434501eea97c574e8d7510efc9ee75cd75b4b4c189da47439e917c20b3d477