Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 14:17
Static task
static1
Behavioral task
behavioral1
Sample
Orden de compra.xls
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Orden de compra.xls
Resource
win10v2004-20231127-en
General
-
Target
Orden de compra.xls
-
Size
391KB
-
MD5
84129445f6446d089445dbe993224dcd
-
SHA1
7e8ccd59f7484ca6e2701404ff8c77182cba2dce
-
SHA256
3eb49f3cd7bdc676ac5b8f46c9ff956717275b7dd7ab90fbea3e3fe3fbaae576
-
SHA512
47ebc4e589bc797896727857c91d6e6f6c3ee99b5e41cae7f4336e1fe643f6da3d436bc5edba234af31e419b82d337e03904b293b36fa3a245b1bd3cf6caadce
-
SSDEEP
6144:YDn1m9kdbaG3mU+ZKy4ij4a3DjKcUX1edr1aqizRBfqGudZFAW6ffPPXC53EE:YDOeuiqKjij4a3DjM1ehMvmFC3Xq3EE
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.elquijotebanquetes.com - Port:
21 - Username:
[email protected] - Password:
kFxADjwNBm$_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 1140 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
Processes:
wlanext.exepid process 1312 wlanext.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1140 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wlanext.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe -
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEWINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2364 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wlanext.exepid process 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe 1312 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wlanext.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1312 wlanext.exe Token: SeShutdownPrivilege 2592 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 2364 EXCEL.EXE 2364 EXCEL.EXE 2364 EXCEL.EXE 2592 WINWORD.EXE 2592 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEdescription pid process target process PID 1140 wrote to memory of 1312 1140 EQNEDT32.EXE wlanext.exe PID 1140 wrote to memory of 1312 1140 EQNEDT32.EXE wlanext.exe PID 1140 wrote to memory of 1312 1140 EQNEDT32.EXE wlanext.exe PID 1140 wrote to memory of 1312 1140 EQNEDT32.EXE wlanext.exe PID 2592 wrote to memory of 1436 2592 WINWORD.EXE splwow64.exe PID 2592 wrote to memory of 1436 2592 WINWORD.EXE splwow64.exe PID 2592 wrote to memory of 1436 2592 WINWORD.EXE splwow64.exe PID 2592 wrote to memory of 1436 2592 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
wlanext.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe -
outlook_win_path 1 IoCs
Processes:
wlanext.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wlanext.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Orden de compra.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2364
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1436
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{0243CC21-DE5E-4902-A9DB-EB91E895085A}.FSD
Filesize128KB
MD5766c277b88e9d7f56a60fe54da4e33da
SHA1f890704eee36f98190e770b635a48bfb9b9b16d8
SHA256a13edb6355191809b101dfba022fab97d0f15ab5203ea162b368a98b9d71f736
SHA512553ed3b78cd0338273ca638688b8cfb2486d4b55126b6f135e8f2dfd2c13e8322f1510640a3f2ff0d8baf5007d0cabfd8f1bb2021ff8fcba8ec65d3950cd4153
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD535c468d489183b8ca699ef0fdef6db3f
SHA14be55f8aa96fe1b3c09a648ee2dcdc2a799d6730
SHA256445a39b4c5e71c894acc25e2ad5e630a2d9933361ad5f0b7bdce7d87f5a78c1c
SHA512cec4c18729d654116c077d8269419d3137da70d6547b8d5409ef449792e5d9c197304e4bd156146cbdc8cbf27f3e69b5ed2c7e1efd1629639e4278b7884586bc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5D25147D-AC87-47B0-85A3-41D553337C3A}.FSD
Filesize128KB
MD5848894b1bd23151687dbc2300e0a96a5
SHA1d093657a19ee2b8ad51305db3d37c64a40ccb403
SHA256fb11fcec89b25764bf872d041c6f04bc3957d27074deb7db1e02053d99e58228
SHA512c3ffb4e605dfa8661c5e45e37ce2a50fcbc26c6677d79bc4a0908ecd4e1fa920c9b1f5ac5af211bcd0564d252e292b7c966b36aa0b9ac1ea167480ed0d0569bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4JLEXC6\microsoftdetecthistorycachecookieentirethingsfromthepcfordelete[1].doc
Filesize66KB
MD53257e76f6fd7ccf389feb54fd83653a3
SHA10f567d839141d2e9b0ed8c7be435ca8eb50c3727
SHA2565d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d
SHA512226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c
-
Filesize
66KB
MD53257e76f6fd7ccf389feb54fd83653a3
SHA10f567d839141d2e9b0ed8c7be435ca8eb50c3727
SHA2565d14534b002980d390f30c6b970b17a3b4b6855c817b5703cd9a87291448144d
SHA512226c6eae6d86b07d1bfbaf482c52267b63f423c5fb8474dd3b60978b116ffd90d5f6d5b38291a01afeee1d392c71d79103efd58d8d2e1870dd9c3cdd94d4664c
-
Filesize
128KB
MD57fff0c9c4b65c53ff2a83c5a164a5273
SHA1f5bf858c140554a9b1cdd0fccd39c76f4f79f276
SHA256353d6b2e3282abd623b6aaed4dddef3ce14d8a9931b419266fef10e46fec3895
SHA512072c63d0ec98ad46540b103276dd9e2dfa88f99e673957b42a6d4482e19f4e298e15628a891dfc4ba4d654a56c0b166be3a4aa7488b5bb13b93c568b33c86568
-
Filesize
20KB
MD575c0ed866daede13af07becd583c7417
SHA16be004bc0f0b0b02c74d6aa01df8f78dcc60c319
SHA256e32ae8df93b3228d3cc514e0148c0ba213f04508dd5972515a9f70288efe771a
SHA512a0a9ed22e0ee74410405bb545a60a5a3557c5bfc0694eb69a4371c3bc0cbe0d425b7a06dfc09ab10b8bc75df1ea5b3402362ff895e84d4356685412a29bf9578
-
Filesize
820KB
MD557a40721677592639d0ca88d3832a0fd
SHA15f43be424f199d8a1e7b25186abae671443bbc1b
SHA25604ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd
SHA512d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702
-
Filesize
820KB
MD557a40721677592639d0ca88d3832a0fd
SHA15f43be424f199d8a1e7b25186abae671443bbc1b
SHA25604ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd
SHA512d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702
-
Filesize
820KB
MD557a40721677592639d0ca88d3832a0fd
SHA15f43be424f199d8a1e7b25186abae671443bbc1b
SHA25604ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd
SHA512d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702
-
Filesize
820KB
MD557a40721677592639d0ca88d3832a0fd
SHA15f43be424f199d8a1e7b25186abae671443bbc1b
SHA25604ab3a8869e6e4f1b8622e8ed8fe28d4a47c3a37b5ec1af7aebfd4302ec4f2bd
SHA512d5ac8848eed7c513044dd90becd89129196b4494e585653c274a4c567307438d1a83a19e339cea2ecd2161e7e753ebaeb35e192fb51dfb26daf689b797f97702