Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:58
Static task
static1
Behavioral task
behavioral1
Sample
ORDERN.F1676.23.xls
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ORDERN.F1676.23.xls
Resource
win10v2004-20231127-en
General
-
Target
ORDERN.F1676.23.xls
-
Size
392KB
-
MD5
3408974acb99e7eb86e75d116d3cbe08
-
SHA1
1d4e5df1f326f6239038b4631d3041f8c8bce8b0
-
SHA256
ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
-
SHA512
40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
-
SSDEEP
6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.abi0expertise.com - Port:
587 - Username:
[email protected] - Password:
Najwa1949! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 1736 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
wlanext.exewlanext.exepid process 1980 wlanext.exe 1544 wlanext.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1736 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
wlanext.exedescription pid process target process PID 1980 set thread context of 1544 1980 wlanext.exe wlanext.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1956 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wlanext.exepid process 1544 wlanext.exe 1544 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wlanext.exedescription pid process Token: SeDebugPrivilege 1544 wlanext.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1956 EXCEL.EXE 1956 EXCEL.EXE 1956 EXCEL.EXE 2136 WINWORD.EXE 2136 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwlanext.exedescription pid process target process PID 1736 wrote to memory of 1980 1736 EQNEDT32.EXE wlanext.exe PID 1736 wrote to memory of 1980 1736 EQNEDT32.EXE wlanext.exe PID 1736 wrote to memory of 1980 1736 EQNEDT32.EXE wlanext.exe PID 1736 wrote to memory of 1980 1736 EQNEDT32.EXE wlanext.exe PID 2136 wrote to memory of 548 2136 WINWORD.EXE splwow64.exe PID 2136 wrote to memory of 548 2136 WINWORD.EXE splwow64.exe PID 2136 wrote to memory of 548 2136 WINWORD.EXE splwow64.exe PID 2136 wrote to memory of 548 2136 WINWORD.EXE splwow64.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe PID 1980 wrote to memory of 1544 1980 wlanext.exe wlanext.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.xls1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1956
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:548
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{372825FB-7856-4D92-96F9-6B1FE1EDE9AB}.FSD
Filesize128KB
MD58e7e6ff2074e2786a4d4d054e13e02cc
SHA1122c27fa1a351ab5cb36da6046865cfc3e82765f
SHA25647594323e7a65605cda40b6d80cce3cbf343effee7252cce5e1e7d7f791d7389
SHA5122a282e259d7337410a7a1279021330ddb3fff5f6b44d0b88223bab6ce441a85dc1fa88042b6042284f1e6c32df049ce4e89b5368b7f0efe5f7708d20186797f9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD575083d43e3463be1ab8d97d1fb8a0657
SHA13788f910a15780a892cdef8a1121b7d2587cab5d
SHA256664358aa7d3011dab96934c3aa6cc841598bccda7b5d39e9889d45db059f1c0f
SHA512895c0ca0e55d063d74c112bdeddf6d7481824596a3ee8c3e025a472ee970131ca0c5be1d57647f61cb117f9d1ff2a476fbeb09793084aba8269734968b5277cb
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DB6DD37F-ADC3-41A0-BD77-90932AB218C1}.FSD
Filesize128KB
MD5a57c2f57a07e360a62df0efd9ca02d1b
SHA1d8856c3a42c7d38679737e7928d05875a5aff590
SHA256bb58dab4524581653ec7eb8c818c74c7fe7a3c137bfbba4e8b239be5d883dd75
SHA51274a4a796c7e65439b3d23ca9acdc43f863fdee7ecd49182aec0c6d194a6f8473ee1fa1814856f2ae3edaafd17603adcdc25b151644cb38386e522753c58ed487
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc
Filesize59KB
MD543d5050828367e6acd6e91d427a3d6b0
SHA1cafde44228fc2405f86ab6f74c95d3a646a39794
SHA256dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592
SHA512e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4
-
Filesize
59KB
MD543d5050828367e6acd6e91d427a3d6b0
SHA1cafde44228fc2405f86ab6f74c95d3a646a39794
SHA256dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592
SHA512e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4
-
Filesize
128KB
MD5cb66f590cdeac09f1816a8e9bd216321
SHA18bdd7e83afbdbcca1c8a1c5424f73347372ea782
SHA256145fa958ca1b175bb9d88b5deb63cf1f65b7f619c8753eb6980041850c2d7cf2
SHA51288dd34f6c62b141ab0c3f0ac6a9fa4c6f3625387dc0e93da296066ced962ab9b7acebb89ee2e9e03d24a16d7e1522edf21f3537e0b78d7d7c302e13bc51a759c
-
Filesize
721KB
MD59693b790d2e6a6a57a00d77d1d118073
SHA11aafdddba11f2747b013de3ac8ff581470318b52
SHA256f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f
SHA512d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31
-
Filesize
721KB
MD59693b790d2e6a6a57a00d77d1d118073
SHA11aafdddba11f2747b013de3ac8ff581470318b52
SHA256f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f
SHA512d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31
-
Filesize
721KB
MD59693b790d2e6a6a57a00d77d1d118073
SHA11aafdddba11f2747b013de3ac8ff581470318b52
SHA256f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f
SHA512d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31
-
Filesize
721KB
MD59693b790d2e6a6a57a00d77d1d118073
SHA11aafdddba11f2747b013de3ac8ff581470318b52
SHA256f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f
SHA512d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31
-
Filesize
721KB
MD59693b790d2e6a6a57a00d77d1d118073
SHA11aafdddba11f2747b013de3ac8ff581470318b52
SHA256f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f
SHA512d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31