agenttesla | ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-12-2023 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER N. F-1676.23.xls
Size

392KB
MD5

3408974acb99e7eb86e75d116d3cbe08
SHA1

1d4e5df1f326f6239038b4631d3041f8c8bce8b0
SHA256

ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
SHA512

40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
SSDEEP

6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.abi0expertise.com
Port:
587
Username:
[email protected]
Password:
Najwa1949!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

11 1388 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 3 IoCs

Processes:

wlanext.exewlanext.exewlanext.exe

pid process

1100 wlanext.exe
2320 wlanext.exe
2312 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1388 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 1100 set thread context of 2312 1100 wlanext.exe wlanext.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1388 EQNEDT32.EXE

flow	pid	process
11	1388	EQNEDT32.EXE

pid	process
1100	wlanext.exe
2320	wlanext.exe
2312	wlanext.exe

pid	process
1388	EQNEDT32.EXE

description	pid	process	target process
PID 1100 set thread context of 2312	1100	wlanext.exe	wlanext.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1388	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2168 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wlanext.exewlanext.exe

pid process

1100 wlanext.exe
1100 wlanext.exe
2312 wlanext.exe
2312 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wlanext.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1100 wlanext.exe
Token: SeDebugPrivilege 2312 wlanext.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2168 EXCEL.EXE
2168 EXCEL.EXE
2168 EXCEL.EXE
2660 WINWORD.EXE
2660 WINWORD.EXE

pid	process
2168	EXCEL.EXE

pid	process
1100	wlanext.exe
1100	wlanext.exe
2312	wlanext.exe
2312	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1100	wlanext.exe
Token: SeDebugPrivilege	2312	wlanext.exe

pid	process
2168	EXCEL.EXE
2168	EXCEL.EXE
2168	EXCEL.EXE
2660	WINWORD.EXE
2660	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 1388 wrote to memory of 1100	1388	EQNEDT32.EXE	wlanext.exe
PID 1388 wrote to memory of 1100	1388	EQNEDT32.EXE	wlanext.exe
PID 1388 wrote to memory of 1100	1388	EQNEDT32.EXE	wlanext.exe
PID 1388 wrote to memory of 1100	1388	EQNEDT32.EXE	wlanext.exe
PID 2660 wrote to memory of 572	2660	WINWORD.EXE	splwow64.exe
PID 2660 wrote to memory of 572	2660	WINWORD.EXE	splwow64.exe
PID 2660 wrote to memory of 572	2660	WINWORD.EXE	splwow64.exe
PID 2660 wrote to memory of 572	2660	WINWORD.EXE	splwow64.exe
PID 1100 wrote to memory of 2320	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2320	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2320	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2320	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe
PID 1100 wrote to memory of 2312	1100	wlanext.exe	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ORDER N. F-1676.23.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:572

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
3⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{45592181-EC85-4772-A1C6-CF412168EF53}.FSD

Filesize
128KB

MD5
c65683b98b2f9d1c4694a2390533a626

SHA1
1e207bd244c56386e7eccf484d9e5fed57fe398b

SHA256
f3e7dabe02445c8042f8af4b2a8ae58dca55224882526d4b365526dd61caf664

SHA512
0f5934a7895ee688daf39a972190e478734b66ceeedcb265b69b5fce84f11bcce34761a213c12afe9447795bb38d70a7f6e4596c611d51a8f79bdc058507e8c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
4cb31df5ad1aafa3be06063f854cdf6d

SHA1
8ef9235f9fd315341222e05f7b5037a253f6d262

SHA256
075fa11a21ab9ad70ed6696fb3f237d7f41e1841ccbfa37dac3f69076eaff126

SHA512
0bf96a0433bc0b0342cff3a86417172a18d2b34661c04fe1159478d8c90b1212f9ec9d231a116ed24ea2850d364da9e701be8a586c35d4c1b2e20c9e15ab0952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F287291F-AFC2-4101-B46F-5F069003A2D2}.FSD

Filesize
128KB

MD5
797c55e956c727c22e11ed30bd5c60de

SHA1
1078c5e15b7d12d3c8510d437bbace9f25535841

SHA256
163e29773cc1f98f34312a3df9554971435137d427245671a0fece750f966d31

SHA512
4c36fb702fd7792dd40179a0cd50754e8df66e86994db9d4060d583bbf9319f8d3a4f92f2cb9f87cc176c6c7d8cd1b6047b000c2f4181d55190aa4cbee83c013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc

Filesize
59KB

MD5
43d5050828367e6acd6e91d427a3d6b0

SHA1
cafde44228fc2405f86ab6f74c95d3a646a39794

SHA256
dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592

SHA512
e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AB18606.doc

Filesize
59KB

MD5
43d5050828367e6acd6e91d427a3d6b0

SHA1
cafde44228fc2405f86ab6f74c95d3a646a39794

SHA256
dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592

SHA512
e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9420D8A8-D23C-48AA-967D-AE9FE4C7F0E4}

Filesize
128KB

MD5
9b22b186dae1f914577e05731569de27

SHA1
43905f79ca7d38c75e0a44edfe3ec86ebe6ec5e9

SHA256
7705b752c5edb2869d9159e01e65cb8b9ffac50296620a8e06b4f281d699a367

SHA512
36e4b64a5d3488f4dae16ea2774b13b67f240c35ebe185ab89bb2cb46ff44bc01a238577b0e31cbe857100d9e80ec528d0b132e1607a73df243728edacea5f56

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
memory/1100-104-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1100-105-0x0000000005C60000-0x0000000005CDA000-memory.dmp

Filesize
488KB

Download
memory/1100-119-0x000000006A450000-0x000000006AB3E000-memory.dmp

Filesize
6.9MB

Download
memory/1100-103-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/1100-96-0x0000000000E10000-0x0000000000ECA000-memory.dmp

Filesize
744KB

Download
memory/1100-98-0x000000006A450000-0x000000006AB3E000-memory.dmp

Filesize
6.9MB

Download
memory/1100-99-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1100-100-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download
memory/2168-101-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2168-1-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2168-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2168-8-0x0000000001E90000-0x0000000001E92000-memory.dmp

Filesize
8KB

Download
memory/2312-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-110-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-123-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2312-122-0x000000006A450000-0x000000006AB3E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-121-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2312-118-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-120-0x000000006A450000-0x000000006AB3E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-7-0x0000000003670000-0x0000000003672000-memory.dmp

Filesize
8KB

Download
memory/2660-102-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download
memory/2660-3-0x000000002FFB1000-0x000000002FFB2000-memory.dmp

Filesize
4KB

Download
memory/2660-5-0x000000007208D000-0x0000000072098000-memory.dmp

Filesize
44KB

Download