agenttesla | 3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orden de compra.xls
Size

391KB
MD5

84129445f6446d089445dbe993224dcd
SHA1

7e8ccd59f7484ca6e2701404ff8c77182cba2dce
SHA256

3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576
SHA512

47ebc4e589bc797896727857c91d6e6f6c3ee99b5e41cae7f4336e1fe643f6da3d436bc5edba234af31e419b82d337e03904b293b36fa3a245b1bd3cf6caadce
SSDEEP

6144:YDn1m9kdbaG3mU+ZKy4ij4a3DjKcUX1edr1aqizRBfqGudZFAW6ffPPXC53EE:YDOeuiqKjij4a3DjM1ehMvmFC3Xq3EE

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
kFxADjwNBm$_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 1140 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

wlanext.exe

pid process

1312 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1140 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
9	1140	EQNEDT32.EXE

pid	process
1140	EQNEDT32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1140 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1140	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2364 EXCEL.EXE

pid	process
2364	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wlanext.exe

pid	process
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe
1312	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wlanext.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1312 wlanext.exe
Token: SeShutdownPrivilege 2592 WINWORD.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2364 EXCEL.EXE
2364 EXCEL.EXE
2364 EXCEL.EXE
2592 WINWORD.EXE
2592 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1312	wlanext.exe
Token: SeShutdownPrivilege	2592	WINWORD.EXE

pid	process
2364	EXCEL.EXE
2364	EXCEL.EXE
2364	EXCEL.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXE

description	pid	process	target process
PID 1140 wrote to memory of 1312	1140	EQNEDT32.EXE	wlanext.exe
PID 1140 wrote to memory of 1312	1140	EQNEDT32.EXE	wlanext.exe
PID 1140 wrote to memory of 1312	1140	EQNEDT32.EXE	wlanext.exe
PID 1140 wrote to memory of 1312	1140	EQNEDT32.EXE	wlanext.exe
PID 2592 wrote to memory of 1436	2592	WINWORD.EXE	splwow64.exe
PID 2592 wrote to memory of 1436	2592	WINWORD.EXE	splwow64.exe
PID 2592 wrote to memory of 1436	2592	WINWORD.EXE	splwow64.exe
PID 2592 wrote to memory of 1436	2592	WINWORD.EXE	splwow64.exe

outlook_office_path 1 IoCs

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

outlook_win_path 1 IoCs

Processes:

wlanext.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1436

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0243CC21-DE5E-4902-A9DB-EB91E895085A}.FSD

Filesize
128KB

MD5
766c277b88e9d7f56a60fe54da4e33da

SHA1
f890704eee36f98190e770b635a48bfb9b9b16d8

SHA256
a13edb6355191809b101dfba022fab97d0f15ab5203ea162b368a98b9d71f736

SHA512
553ed3b78cd0338273ca638688b8cfb2486d4b55126b6f135e8f2dfd2c13e8322f1510640a3f2ff0d8baf5007d0cabfd8f1bb2021ff8fcba8ec65d3950cd4153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
35c468d489183b8ca699ef0fdef6db3f

SHA1
4be55f8aa96fe1b3c09a648ee2dcdc2a799d6730

SHA256
445a39b4c5e71c894acc25e2ad5e630a2d9933361ad5f0b7bdce7d87f5a78c1c

SHA512
cec4c18729d654116c077d8269419d3137da70d6547b8d5409ef449792e5d9c197304e4bd156146cbdc8cbf27f3e69b5ed2c7e1efd1629639e4278b7884586bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5D25147D-AC87-47B0-85A3-41D553337C3A}.FSD

Filesize
128KB

MD5
848894b1bd23151687dbc2300e0a96a5

SHA1
d093657a19ee2b8ad51305db3d37c64a40ccb403

SHA256
fb11fcec89b25764bf872d041c6f04bc3957d27074deb7db1e02053d99e58228

SHA512
c3ffb4e605dfa8661c5e45e37ce2a50fcbc26c6677d79bc4a0908ecd4e1fa920c9b1f5ac5af211bcd0564d252e292b7c966b36aa0b9ac1ea167480ed0d0569bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4JLEXC6\microsoftdetecthistorycachecookieentirethingsfromthepcfordelete[1].doc

Filesize
66KB

MD5
3257e76f6fd7ccf389feb54fd83653a3

SHA1
0f567d839141d2e9b0ed8c7be435ca8eb50c3727

SHA256
5d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d

SHA512
226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E4E9C8B.doc

Filesize
66KB

MD5
3257e76f6fd7ccf389feb54fd83653a3

SHA1
0f567d839141d2e9b0ed8c7be435ca8eb50c3727

SHA256
5d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d

SHA512
226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D505C8EA-5972-4F89-B062-34658BF86898}

Filesize
128KB

MD5
7fff0c9c4b65c53ff2a83c5a164a5273

SHA1
f5bf858c140554a9b1cdd0fccd39c76f4f79f276

SHA256
353d6b2e3282abd623b6aaed4dddef3ce14d8a9931b419266fef10e46fec3895

SHA512
072c63d0ec98ad46540b103276dd9e2dfa88f99e673957b42a6d4482e19f4e298e15628a891dfc4ba4d654a56c0b166be3a4aa7488b5bb13b93c568b33c86568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
75c0ed866daede13af07becd583c7417

SHA1
6be004bc0f0b0b02c74d6aa01df8f78dcc60c319

SHA256
e32ae8df93b3228d3cc514e0148c0ba213f04508dd5972515a9f70288efe771a

SHA512
a0a9ed22e0ee74410405bb545a60a5a3557c5bfc0694eb69a4371c3bc0cbe0d425b7a06dfc09ab10b8bc75df1ea5b3402362ff895e84d4356685412a29bf9578

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
820KB

MD5
57a40721677592639d0ca88d3832a0fd

SHA1
5f43be424f199d8a1e7b25186abae671443bbc1b

SHA256
04ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd

SHA512
d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
820KB

MD5
57a40721677592639d0ca88d3832a0fd

SHA1
5f43be424f199d8a1e7b25186abae671443bbc1b

SHA256
04ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd

SHA512
d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
820KB

MD5
57a40721677592639d0ca88d3832a0fd

SHA1
5f43be424f199d8a1e7b25186abae671443bbc1b

SHA256
04ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd

SHA512
d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
820KB

MD5
57a40721677592639d0ca88d3832a0fd

SHA1
5f43be424f199d8a1e7b25186abae671443bbc1b

SHA256
04ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd

SHA512
d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702

Download Submit
memory/1312-97-0x000000006A990000-0x000000006B07E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-103-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/1312-108-0x0000000007490000-0x00000000074D0000-memory.dmp

Filesize
256KB

Download
memory/1312-107-0x000000006A990000-0x000000006B07E000-memory.dmp

Filesize
6.9MB

Download
memory/1312-106-0x0000000004270000-0x00000000042B2000-memory.dmp

Filesize
264KB

Download
memory/1312-104-0x0000000007B90000-0x0000000007C0C000-memory.dmp

Filesize
496KB

Download
memory/1312-96-0x00000000008C0000-0x0000000000994000-memory.dmp

Filesize
848KB

Download
memory/1312-99-0x0000000007490000-0x00000000074D0000-memory.dmp

Filesize
256KB

Download
memory/1312-100-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/1312-102-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2364-101-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/2364-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2364-8-0x0000000002400000-0x0000000002402000-memory.dmp

Filesize
8KB

Download
memory/2364-1-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/2364-135-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/2592-7-0x0000000003600000-0x0000000003602000-memory.dmp

Filesize
8KB

Download
memory/2592-105-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/2592-3-0x000000002FB71000-0x000000002FB72000-memory.dmp

Filesize
4KB

Download
memory/2592-5-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download
memory/2592-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2592-132-0x000000007258D000-0x0000000072598000-memory.dmp

Filesize
44KB

Download