agenttesla | 2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls
Size

390KB
MD5

13b206b3e79a9d04ff497d128c01df53
SHA1

2e17982b433c9e32f25a5fec1707e573563c594f
SHA256

2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1
SHA512

5af0ed9d1dc21e373a269377fb98e693aab1cc88e5528148e91f885195ada6289a1c3cbad965fb52da6c4b7955ac5770017f8e5a156960de971d28ebe172fcb8
SSDEEP

6144:Nn1m9kdb/Gt8b++UXaVXKv6FW2LN6rKTbLfqmYJEgTy:NOeLlS5aVXKv6FhzbLfv2EgTy

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6670271579:AAHln7Op0JjSMa92pjMiSLRC0uIRAw3DqMQ/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

11 2748 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wlanext.exewlanext.exe

pid process

2596 wlanext.exe
2384 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

2748 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 2596 set thread context of 2384 2596 wlanext.exe wlanext.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2748 EQNEDT32.EXE

flow	pid	process
11	2748	EQNEDT32.EXE

pid	process
2748	EQNEDT32.EXE

description	pid	process	target process
PID 2596 set thread context of 2384	2596	wlanext.exe	wlanext.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2748	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2312 EXCEL.EXE

pid	process
2312	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

wlanext.exewlanext.exe

pid	process
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2596	wlanext.exe
2384	wlanext.exe
2384	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wlanext.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2596 wlanext.exe
Token: SeDebugPrivilege 2384 wlanext.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2312 EXCEL.EXE
2312 EXCEL.EXE
2312 EXCEL.EXE
2772 WINWORD.EXE
2772 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2596	wlanext.exe
Token: SeDebugPrivilege	2384	wlanext.exe

pid	process
2312	EXCEL.EXE
2312	EXCEL.EXE
2312	EXCEL.EXE
2772	WINWORD.EXE
2772	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 2748 wrote to memory of 2596	2748	EQNEDT32.EXE	wlanext.exe
PID 2748 wrote to memory of 2596	2748	EQNEDT32.EXE	wlanext.exe
PID 2748 wrote to memory of 2596	2748	EQNEDT32.EXE	wlanext.exe
PID 2748 wrote to memory of 2596	2748	EQNEDT32.EXE	wlanext.exe
PID 2772 wrote to memory of 2880	2772	WINWORD.EXE	splwow64.exe
PID 2772 wrote to memory of 2880	2772	WINWORD.EXE	splwow64.exe
PID 2772 wrote to memory of 2880	2772	WINWORD.EXE	splwow64.exe
PID 2772 wrote to memory of 2880	2772	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe
PID 2596 wrote to memory of 2384	2596	wlanext.exe	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2880

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B5E038FD-0C9D-41E0-8DAF-E64C03A9E0EC}.FSD

Filesize
128KB

MD5
bb7b95d3691d3e851f10a00bb86c00e2

SHA1
95d74e4e5dba4fc5a07a5520f00455fbd0cb2958

SHA256
a624fee74145f42ace1cce9204da11124d1e0e6f8d0eb0dd92b7aa1c8631124b

SHA512
2083a5a4e9d35a42e4919639c565e6ad786b46e6241e8f09e38e083e740b903d8b1ee75b282b09117f9b91a6ab9f94600d3a2252c2f638c506cb51af0d38e8dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
e2ce0e12e96dc9e5820d03e23ed1215f

SHA1
deca78206e38ae15a9f98d9c789885799969fcd7

SHA256
eddbaa10fc11fed49c07862eac34ef7a027de66cd5f116c6eca76f26cc31b954

SHA512
a753dd258de9e1b79e6624ba39642b18ab0772a498b5e6d84218a2b33fb061a7ad7a9f48f5e8dc1be8496162d51e4d9c109c3872816e798264b72707e7a3f7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2eaca41367c61357f83607026b101502

SHA1
32d1e274fbeb59fae37176e0acc0d43824df3e55

SHA256
1cfa512b0020f128d6abea6a3ab495aabef3cf84e852e2524e8977e30725496f

SHA512
2426c8ca09ec04147244d3886a56982a382f9e8e341b7f522d02ebacfc9da19003e1715dbca97acd4d912cd08a046305f3d68ccb539af44af8347013ea1c75c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{65B6AB7F-2148-43E9-AB2F-C060F67DCDDB}.FSD

Filesize
128KB

MD5
d5c800a9a05d17139be7145c56988d3d

SHA1
6f5399f85e6714d666b8070d0d6abbecb0198575

SHA256
7486d4b7436c4ac66de0b4627d6857a2a775dcb3eb871b4a3bbef9ab9f874d24

SHA512
ebb95b6376394d9c1fc55c1504fe42ca664f9f2f0ce2110e01b405f44118cd24367808c01f3deb189bb7e57563107b6d2ef7c428b1ef78b78a9ae5f9ee082187

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\microsofdecidedtodeleteentirehistorycookiecachefrommypc[1].doc

Filesize
50KB

MD5
5451b82c9d7e98c077b8dc1f667f5b19

SHA1
5788704528823c1988964a8af9c2056dd42f787b

SHA256
1e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75

SHA512
5e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\73FE2EB.doc

Filesize
50KB

MD5
5451b82c9d7e98c077b8dc1f667f5b19

SHA1
5788704528823c1988964a8af9c2056dd42f787b

SHA256
1e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75

SHA512
5e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\{649A1651-ED22-4BBB-AA65-E148EE2F7BB0}

Filesize
128KB

MD5
99a108078bd1f2ca5689a29df9631d9f

SHA1
c7e86bd6e5707db99106eacde20ed5e826205a8e

SHA256
994468f2b81fed187c9b8d6b43a4df1ac9bc87d1df3557272d3d0ff6191ec421

SHA512
18ab712bbcbaa2b7ec61c7cbd775b37faa1f513822a23794d8312e5b5bca51abbd00adcaab040894e2d9f440d936d5c5343a6fe08790cf12311ba338552b659c

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
memory/2312-9-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/2312-102-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/2312-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2312-1-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/2384-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-125-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2384-124-0x000000006A580000-0x000000006AC6E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-123-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2384-122-0x000000006A580000-0x000000006AC6E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2384-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-104-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2596-108-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2596-99-0x000000006A580000-0x000000006AC6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-106-0x0000000005150000-0x00000000051CA000-memory.dmp

Filesize
488KB

Download
memory/2596-105-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2596-100-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2596-107-0x000000006A580000-0x000000006AC6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-97-0x00000000000B0000-0x000000000017E000-memory.dmp

Filesize
824KB

Download
memory/2596-121-0x000000006A580000-0x000000006AC6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-101-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/2772-103-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download
memory/2772-8-0x0000000003660000-0x0000000003662000-memory.dmp

Filesize
8KB

Download
memory/2772-4-0x000000002F131000-0x000000002F132000-memory.dmp

Filesize
4KB

Download
memory/2772-6-0x00000000721BD000-0x00000000721C8000-memory.dmp

Filesize
44KB

Download