agenttesla | aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f.docx
Size

16KB
MD5

b5b884c10723261ef25cc10db807eb8b
SHA1

5f89a7039838e52bb5e440d7b51b2635802dcc02
SHA256

aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f
SHA512

20ef9f8553e7cb2af0497c22b82084519dd7ad1ffb13100efc7900797aaa190ba1b3abb3e9a0ec6bad3eb8bd71bdb061f8d4c107565746948260e0967a4c9c7f
SSDEEP

384:uyXrVqFWus8PL8wi4OEwH8TIbE91r2fRGJYJvimP49eb:ucrOJ5P3DOqnYJQEvTP49G

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.turathmall-ksa.com
Port:
587
Username:
[email protected]
Password:
Julliannah123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

9 2636 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 2 IoCs

Processes:

mmtrade56539.exemmtrade56539.exe

pid process

2684 mmtrade56539.exe
2868 mmtrade56539.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

2636 EQNEDT32.EXE
2636 EQNEDT32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
9	2636	EQNEDT32.EXE

pid	process
2684	mmtrade56539.exe
2868	mmtrade56539.exe

pid	process
2636	EQNEDT32.EXE
2636	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mmtrade56539.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\SguRK = "C:\\Users\\Admin\\AppData\\Roaming\\SguRK\\SguRK.exe"	mmtrade56539.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mmtrade56539.exe

description pid process target process

PID 2684 set thread context of 2868 2684 mmtrade56539.exe mmtrade56539.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2636 EQNEDT32.EXE

description	pid	process	target process
PID 2684 set thread context of 2868	2684	mmtrade56539.exe	mmtrade56539.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2636	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1428 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mmtrade56539.exe

pid process

2868 mmtrade56539.exe
2868 mmtrade56539.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mmtrade56539.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 2868 mmtrade56539.exe
Token: SeShutdownPrivilege 1428 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEmmtrade56539.exe

pid process

1428 WINWORD.EXE
1428 WINWORD.EXE
2868 mmtrade56539.exe

pid	process
1428	WINWORD.EXE

pid	process
2868	mmtrade56539.exe
2868	mmtrade56539.exe

description	pid	process
Token: SeDebugPrivilege	2868	mmtrade56539.exe
Token: SeShutdownPrivilege	1428	WINWORD.EXE

pid	process
1428	WINWORD.EXE
1428	WINWORD.EXE
2868	mmtrade56539.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEmmtrade56539.exeWINWORD.EXE

description	pid	process	target process
PID 2636 wrote to memory of 2684	2636	EQNEDT32.EXE	mmtrade56539.exe
PID 2636 wrote to memory of 2684	2636	EQNEDT32.EXE	mmtrade56539.exe
PID 2636 wrote to memory of 2684	2636	EQNEDT32.EXE	mmtrade56539.exe
PID 2636 wrote to memory of 2684	2636	EQNEDT32.EXE	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 2684 wrote to memory of 2868	2684	mmtrade56539.exe	mmtrade56539.exe
PID 1428 wrote to memory of 2364	1428	WINWORD.EXE	splwow64.exe
PID 1428 wrote to memory of 2364	1428	WINWORD.EXE	splwow64.exe
PID 1428 wrote to memory of 2364	1428	WINWORD.EXE	splwow64.exe
PID 1428 wrote to memory of 2364	1428	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f.docx"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2364

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\mmtrade56539.exe
"C:\Users\Admin\AppData\Roaming\mmtrade56539.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Roaming\mmtrade56539.exe
"C:\Users\Admin\AppData\Roaming\mmtrade56539.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
6b4300b7963aec29df1df719336106ad

SHA1
0c7c7ff3f937413ed8712cfd149b4e17c06daf05

SHA256
198c2aa037017d24c10ded078b206e77308af7d46ed6c493f647c9b4817b4327

SHA512
6a6906038faad117bc7c59e36f18c792431d414a3c0a797f8a48c0a4e596890ae292ce2bb795c9db03e77a96b848707dd8b7ebe4e604ad0ef9f5f6ac4af7dc66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{11F5C868-DEEC-4557-A489-F0448FAF7D5D}.FSD

Filesize
128KB

MD5
f332128bc6eafccc657cf1906924fc3e

SHA1
55f1b52920108f3811ad0216daa2747120a20899

SHA256
8661e239992e003c709379ac368fed8c73321c77db58f9d6aeb9ead1a4af5e1b

SHA512
b85fefc8b1e525624867787a36773dcca936ec71dc99b7cab802ac4b7038a5af7124e44dc4b4407604b67e3f32abe58a5b61625ca9a80068544fdb0b5431f148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QE8B45JM\mmtradezx[1].doc

Filesize
170KB

MD5
53d7c396c9045ba0c9f0982f92f7443d

SHA1
6df40c3bae9dfd9ecf745a0401960aa5bdb62e51

SHA256
98dccf921b555c4e4d70ecf5626f651b9d87d1aa2c83945ef661d41cba07d354

SHA512
8bb6109bbda985c600da04db948399e6dded70171f6cab9d3f3ab13e99005071ec5fda3049be2d2c83a6f9b587688157c3588d33570614193a5566f25bcb201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6C5EDE41-2D46-4A55-A711-A31419C6AE85}

Filesize
128KB

MD5
763c9779a74563664336fa3ff419daa1

SHA1
0269cb8dee0f9777bbd0cced42efa8e1488b9aba

SHA256
798b7fa8c366cf673f0196d1bb32a5832263594f16dd67be37038499d05edd96

SHA512
2df88dfcc1854fb7a78c7995587de7796015a40050a65a18c13730cca95473a6141856aac2a5544cc8808fb8d4054bc14ff0b567770a0da95f81178a9b1942d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
1dc5aea88816395eddb6e056a2cfb3d5

SHA1
8df1688f1692e37b110dfe872495122805f3d7e9

SHA256
c0e6e559f315348b69651ac723d799b4d2e1ccc8459208dbd0bb6003d287cc29

SHA512
05a10ce5013b7688fb853193de5635e0f7f01060af72c19415f308d18f9aa843ff42b14a993488ef83cd59511633556f015385b96fc6af85537290bc60c3e6a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\mmtrade56539.exe

Filesize
649KB

MD5
ad5bb07ce43df4278b18681fc5aa47b4

SHA1
a0ef56d019bb8bda3e3063eea3b2a530cc5c379a

SHA256
e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296

SHA512
7b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6

Download Submit
C:\Users\Admin\AppData\Roaming\mmtrade56539.exe

Filesize
649KB

MD5
ad5bb07ce43df4278b18681fc5aa47b4

SHA1
a0ef56d019bb8bda3e3063eea3b2a530cc5c379a

SHA256
e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296

SHA512
7b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6

Download Submit
C:\Users\Admin\AppData\Roaming\mmtrade56539.exe

Filesize
649KB

MD5
ad5bb07ce43df4278b18681fc5aa47b4

SHA1
a0ef56d019bb8bda3e3063eea3b2a530cc5c379a

SHA256
e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296

SHA512
7b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6

Download Submit
C:\Users\Admin\AppData\Roaming\mmtrade56539.exe

Filesize
649KB

MD5
ad5bb07ce43df4278b18681fc5aa47b4

SHA1
a0ef56d019bb8bda3e3063eea3b2a530cc5c379a

SHA256
e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296

SHA512
7b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6

Download Submit
\Users\Admin\AppData\Roaming\mmtrade56539.exe

Filesize
649KB

MD5
ad5bb07ce43df4278b18681fc5aa47b4

SHA1
a0ef56d019bb8bda3e3063eea3b2a530cc5c379a

SHA256
e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296

SHA512
7b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6

Download Submit
\Users\Admin\AppData\Roaming\mmtrade56539.exe

Filesize
649KB

MD5
ad5bb07ce43df4278b18681fc5aa47b4

SHA1
a0ef56d019bb8bda3e3063eea3b2a530cc5c379a

SHA256
e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296

SHA512
7b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6

Download Submit
memory/1428-119-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/1428-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1428-165-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1428-2-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/1428-0-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/1428-166-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/2684-107-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/2684-118-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2684-120-0x0000000005370000-0x00000000053EE000-memory.dmp

Filesize
504KB

Download
memory/2684-117-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2684-102-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/2684-100-0x000000006AC40000-0x000000006B32E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-99-0x0000000000CB0000-0x0000000000D58000-memory.dmp

Filesize
672KB

Download
memory/2684-135-0x000000006AC40000-0x000000006B32E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-127-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-136-0x000000006AC40000-0x000000006B32E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-137-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/2868-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-140-0x000000006AC40000-0x000000006B32E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-141-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/2868-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download