agenttesla | ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-12-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDERN.F1676.23.xls
Size

392KB
MD5

3408974acb99e7eb86e75d116d3cbe08
SHA1

1d4e5df1f326f6239038b4631d3041f8c8bce8b0
SHA256

ba24230fc982ae4d2ef597abf179e4cdebce6cbed76ea929a636821309d1e29f
SHA512

40c04a8e8c0232fefb623bd845597f30f0cca6ba34fe041a22d14234efe55a25b1d1ad4b9ef753fe641ff293477ff943443256bee2c00b8c2a51062dab6db2d6
SSDEEP

6144:Gn1m9kdbvPpeZkVl3S4qQygZpuUXyRcVlgTf+0W8r8NR/+zTlsvsgYtZlTTDyrh:GOeLtni5XgZTyqVGruU5lTSrh

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.abi0expertise.com
Port:
587
Username:
[email protected]
Password:
Najwa1949!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 1736 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wlanext.exewlanext.exe

pid process

1980 wlanext.exe
1544 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1736 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 1980 set thread context of 1544 1980 wlanext.exe wlanext.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1736 EQNEDT32.EXE

flow	pid	process
9	1736	EQNEDT32.EXE

pid	process
1980	wlanext.exe
1544	wlanext.exe

pid	process
1736	EQNEDT32.EXE

description	pid	process	target process
PID 1980 set thread context of 1544	1980	wlanext.exe	wlanext.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1736	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1956 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wlanext.exe

pid process

1544 wlanext.exe
1544 wlanext.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wlanext.exe

description pid process

Token: SeDebugPrivilege 1544 wlanext.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1956 EXCEL.EXE
1956 EXCEL.EXE
1956 EXCEL.EXE
2136 WINWORD.EXE
2136 WINWORD.EXE

pid	process
1956	EXCEL.EXE

pid	process
1544	wlanext.exe
1544	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	1544	wlanext.exe

pid	process
1956	EXCEL.EXE
1956	EXCEL.EXE
1956	EXCEL.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 1736 wrote to memory of 1980	1736	EQNEDT32.EXE	wlanext.exe
PID 1736 wrote to memory of 1980	1736	EQNEDT32.EXE	wlanext.exe
PID 1736 wrote to memory of 1980	1736	EQNEDT32.EXE	wlanext.exe
PID 1736 wrote to memory of 1980	1736	EQNEDT32.EXE	wlanext.exe
PID 2136 wrote to memory of 548	2136	WINWORD.EXE	splwow64.exe
PID 2136 wrote to memory of 548	2136	WINWORD.EXE	splwow64.exe
PID 2136 wrote to memory of 548	2136	WINWORD.EXE	splwow64.exe
PID 2136 wrote to memory of 548	2136	WINWORD.EXE	splwow64.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe
PID 1980 wrote to memory of 1544	1980	wlanext.exe	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:548

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{372825FB-7856-4D92-96F9-6B1FE1EDE9AB}.FSD

Filesize
128KB

MD5
8e7e6ff2074e2786a4d4d054e13e02cc

SHA1
122c27fa1a351ab5cb36da6046865cfc3e82765f

SHA256
47594323e7a65605cda40b6d80cce3cbf343effee7252cce5e1e7d7f791d7389

SHA512
2a282e259d7337410a7a1279021330ddb3fff5f6b44d0b88223bab6ce441a85dc1fa88042b6042284f1e6c32df049ce4e89b5368b7f0efe5f7708d20186797f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
75083d43e3463be1ab8d97d1fb8a0657

SHA1
3788f910a15780a892cdef8a1121b7d2587cab5d

SHA256
664358aa7d3011dab96934c3aa6cc841598bccda7b5d39e9889d45db059f1c0f

SHA512
895c0ca0e55d063d74c112bdeddf6d7481824596a3ee8c3e025a472ee970131ca0c5be1d57647f61cb117f9d1ff2a476fbeb09793084aba8269734968b5277cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DB6DD37F-ADC3-41A0-BD77-90932AB218C1}.FSD

Filesize
128KB

MD5
a57c2f57a07e360a62df0efd9ca02d1b

SHA1
d8856c3a42c7d38679737e7928d05875a5aff590

SHA256
bb58dab4524581653ec7eb8c818c74c7fe7a3c137bfbba4e8b239be5d883dd75

SHA512
74a4a796c7e65439b3d23ca9acdc43f863fdee7ecd49182aec0c6d194a6f8473ee1fa1814856f2ae3edaafd17603adcdc25b151644cb38386e522753c58ed487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQGVC737\microsoftwantedtodeletentirehistorycookiecatchfromthepc[1].doc

Filesize
59KB

MD5
43d5050828367e6acd6e91d427a3d6b0

SHA1
cafde44228fc2405f86ab6f74c95d3a646a39794

SHA256
dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592

SHA512
e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C08EC2DA.doc

Filesize
59KB

MD5
43d5050828367e6acd6e91d427a3d6b0

SHA1
cafde44228fc2405f86ab6f74c95d3a646a39794

SHA256
dfc414c8615ead5e2c41955aeeaad2369074c489f96a7b45becc668d647ea592

SHA512
e2beb21694b8c4999c059cd74af4c05096fd94aae936acbad1aab78d22d569797bd9fac173a9cf59e509d39fb38fb392a67f14dfd63addcc0c44d68861b8b3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A359A79B-A3FA-4131-A07E-3BDCE9DBFF85}

Filesize
128KB

MD5
cb66f590cdeac09f1816a8e9bd216321

SHA1
8bdd7e83afbdbcca1c8a1c5424f73347372ea782

SHA256
145fa958ca1b175bb9d88b5deb63cf1f65b7f619c8753eb6980041850c2d7cf2

SHA512
88dd34f6c62b141ab0c3f0ac6a9fa4c6f3625387dc0e93da296066ced962ab9b7acebb89ee2e9e03d24a16d7e1522edf21f3537e0b78d7d7c302e13bc51a759c

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
721KB

MD5
9693b790d2e6a6a57a00d77d1d118073

SHA1
1aafdddba11f2747b013de3ac8ff581470318b52

SHA256
f49b665e011ce87a1e9bd296cc8010c4976d1592e76b4daeaec91a1b6437ea8f

SHA512
d609f2d4f8971616546360c6066a1714d7fc73db2b58ef98b864721d6cdf1483b1a8b881794f620079ff485575aa668f1adc6ad3d5fcccf4360784f60ea05d31

Download Submit
memory/1544-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1544-123-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/1544-122-0x000000006A4E0000-0x000000006ABCE000-memory.dmp

Filesize
6.9MB

Download
memory/1544-121-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/1544-120-0x000000006A4E0000-0x000000006ABCE000-memory.dmp

Filesize
6.9MB

Download
memory/1544-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-117-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-8-0x00000000023D0000-0x00000000023D2000-memory.dmp

Filesize
8KB

Download
memory/1956-1-0x0000000072D5D000-0x0000000072D68000-memory.dmp

Filesize
44KB

Download
memory/1956-101-0x0000000072D5D000-0x0000000072D68000-memory.dmp

Filesize
44KB

Download
memory/1956-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-99-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1980-105-0x0000000005CA0000-0x0000000005D1A000-memory.dmp

Filesize
488KB

Download
memory/1980-104-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/1980-103-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/1980-116-0x000000006B0B0000-0x000000006B79E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-100-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/1980-98-0x000000006B0B0000-0x000000006B79E000-memory.dmp

Filesize
6.9MB

Download
memory/1980-96-0x0000000000DD0000-0x0000000000E8A000-memory.dmp

Filesize
744KB

Download
memory/2136-102-0x0000000072D5D000-0x0000000072D68000-memory.dmp

Filesize
44KB

Download
memory/2136-3-0x000000002F831000-0x000000002F832000-memory.dmp

Filesize
4KB

Download
memory/2136-5-0x0000000072D5D000-0x0000000072D68000-memory.dmp

Filesize
44KB

Download
memory/2136-7-0x00000000023C0000-0x00000000023C2000-memory.dmp

Filesize
8KB

Download