agenttesla | 24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac

Analysis

max time kernel
144s
max time network
133s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
06-12-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls
Size

392KB
MD5

1cd369286752c3d016b8ce3d59f43e66
SHA1

ee6222b823a92cae26f04351509a1254556508c0
SHA256

24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac
SHA512

9e875bf7a628faa32846a68d0f699601c31ac8fd66d906d8ba72b70d56ef4d376cb569c0afca1e5ba7eb8972df318d17cbb6393105a4e0c965d356350862b7b2
SSDEEP

6144:un1m9kdb/Gt8b++UXaBkMOQGeg20HYacK4vPLJJhZrRIh1EBb:uOeLlS5aave4HtcK8A/EB

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6670271579:AAHln7Op0JjSMa92pjMiSLRC0uIRAw3DqMQ/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 1440 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

wlanext.exewlanext.exe

pid process

1832 wlanext.exe
540 wlanext.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1440 EQNEDT32.EXE
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

wlanext.exe

description pid process target process

PID 1832 set thread context of 540 1832 wlanext.exe wlanext.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1440 EQNEDT32.EXE

flow	pid	process
9	1440	EQNEDT32.EXE

pid	process
1440	EQNEDT32.EXE

description	pid	process	target process
PID 1832 set thread context of 540	1832	wlanext.exe	wlanext.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1440	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1820 EXCEL.EXE

pid	process
1820	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

wlanext.exewlanext.exe

pid	process
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
1832	wlanext.exe
540	wlanext.exe
540	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wlanext.exewlanext.exe

description pid process

Token: SeDebugPrivilege 1832 wlanext.exe
Token: SeDebugPrivilege 540 wlanext.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1820 EXCEL.EXE
1820 EXCEL.EXE
1820 EXCEL.EXE
2992 WINWORD.EXE
2992 WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	1832	wlanext.exe
Token: SeDebugPrivilege	540	wlanext.exe

pid	process
1820	EXCEL.EXE
1820	EXCEL.EXE
1820	EXCEL.EXE
2992	WINWORD.EXE
2992	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwlanext.exe

description	pid	process	target process
PID 1440 wrote to memory of 1832	1440	EQNEDT32.EXE	wlanext.exe
PID 1440 wrote to memory of 1832	1440	EQNEDT32.EXE	wlanext.exe
PID 1440 wrote to memory of 1832	1440	EQNEDT32.EXE	wlanext.exe
PID 1440 wrote to memory of 1832	1440	EQNEDT32.EXE	wlanext.exe
PID 2992 wrote to memory of 1524	2992	WINWORD.EXE	splwow64.exe
PID 2992 wrote to memory of 1524	2992	WINWORD.EXE	splwow64.exe
PID 2992 wrote to memory of 1524	2992	WINWORD.EXE	splwow64.exe
PID 2992 wrote to memory of 1524	2992	WINWORD.EXE	splwow64.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe
PID 1832 wrote to memory of 540	1832	wlanext.exe	wlanext.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\24c228df7c2e025c2db64ebdc6d5824425f3179f228145866bd55700cf7e05ac.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1524

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Roaming\wlanext.exe
"C:\Users\Admin\AppData\Roaming\wlanext.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{89533E10-54A4-4477-AF9F-ACC421FE008B}.FSD

Filesize
128KB

MD5
61e0422939c62d38635012e14b97f382

SHA1
12df73aa9d8521bd1b83218a02f5c896d0b47a33

SHA256
432df6eaa0b4119e1dd6f6bce7692fe5a07636b60f1c7e74365ab5280109717e

SHA512
063883f66d6f8df57874dba795174a8d20104aae46c8878fe40e6ffe390c9bd5384155c72c52335677aeb968bba9efb5f539087e1a7ccbddee00126fedb2d021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
f41a2f449902725a3a48bc10e71be609

SHA1
0348a133421060433d8a86a9981809d20fdbf781

SHA256
a94acd10099004225b2dcc254343a5919a578336fe983a0ae75f972bb867e0ca

SHA512
c8abe8959bc1fc0766629bc15e0cf51cf06addba0c58de202fd0658af40de19fbfc7604b75e1e8c0c74083330540171b0017a1c881112fde36cc24ed5bccb7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{09F9C9F6-251A-4CB8-9EEC-15483FBFD3EC}.FSD

Filesize
128KB

MD5
e88e1a2841bb47fa969b31bff4b5fb9d

SHA1
75c9f4e861a1a9c67dd030db9a89755b81795e1e

SHA256
4ac028c98ffea5f168f5f0cd2ac3ab1e20954e43cd4589279bdbce5e89f375a9

SHA512
8620a84ecbba91b376b2a0a04d7436b7f6599dae22fd11e30b0182dd4c443d265e99b62c5a4abd23fdab40c3bd2bb698366041b70069f4e754f237fc97e013db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\91FD33MK\microsofdecidedtodeleteentirehistorycookiecachefrommypc[1].doc

Filesize
50KB

MD5
5451b82c9d7e98c077b8dc1f667f5b19

SHA1
5788704528823c1988964a8af9c2056dd42f787b

SHA256
1e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75

SHA512
5e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BED5CF1E.doc

Filesize
50KB

MD5
5451b82c9d7e98c077b8dc1f667f5b19

SHA1
5788704528823c1988964a8af9c2056dd42f787b

SHA256
1e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75

SHA512
5e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9F23AC5F-C748-4609-914F-1BD19A186F43}

Filesize
128KB

MD5
57cb8ab7d06d5bdf70fa37a089c14843

SHA1
b53aca2ceea6c402d2cd419f91b20e87e454c0c3

SHA256
df1bb22484243103082d8d6b38b9ce005a8d73f188eaca87ea47e58371e1ed50

SHA512
332c488105f980640e038e16f82ed46ab1995dd00e992e676c9688d86eeca2db60ebd396e495939318d82378bccc3d64c02b3a2f8970b41dd3bbf211ac5e08da

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
799KB

MD5
b488be4699206f2c9c43c007f190816f

SHA1
ff4b89f08a7c8ce0a87e504719389c0e8278675e

SHA256
d51abb49a25ea3dafda19148108c3326fc41fa2a1dff88aed615fa9027b2b972

SHA512
d152bd6cf2eb514bc3faf83219e719283ef98b99d3c0648a79bac588869e7254c3dc697829d8a996690ac3421058f423bde7560cd254effe393ff944f62a5ee7

Download Submit
memory/540-120-0x0000000069FF0000-0x000000006A6DE000-memory.dmp

Filesize
6.9MB

Download
memory/540-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-123-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/540-122-0x0000000069FF0000-0x000000006A6DE000-memory.dmp

Filesize
6.9MB

Download
memory/540-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/540-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-121-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/1820-1-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/1820-101-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/1820-8-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/1820-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-99-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/1832-106-0x0000000069FF0000-0x000000006A6DE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-119-0x0000000069FF0000-0x000000006A6DE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-105-0x00000000052F0000-0x000000000536A000-memory.dmp

Filesize
488KB

Download
memory/1832-103-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/1832-102-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1832-100-0x0000000000520000-0x0000000000538000-memory.dmp

Filesize
96KB

Download
memory/1832-97-0x0000000069FF0000-0x000000006A6DE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-91-0x0000000000FD0000-0x000000000109E000-memory.dmp

Filesize
824KB

Download
memory/2992-104-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/2992-3-0x000000002F221000-0x000000002F222000-memory.dmp

Filesize
4KB

Download
memory/2992-5-0x00000000722DD000-0x00000000722E8000-memory.dmp

Filesize
44KB

Download
memory/2992-7-0x0000000003700000-0x0000000003702000-memory.dmp

Filesize
8KB

Download