Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 01:43
Static task
static1
Behavioral task
behavioral1
Sample
aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f.docx
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f.docx
Resource
win10v2004-20231127-en
General
-
Target
aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f.docx
-
Size
16KB
-
MD5
b5b884c10723261ef25cc10db807eb8b
-
SHA1
5f89a7039838e52bb5e440d7b51b2635802dcc02
-
SHA256
aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f
-
SHA512
20ef9f8553e7cb2af0497c22b82084519dd7ad1ffb13100efc7900797aaa190ba1b3abb3e9a0ec6bad3eb8bd71bdb061f8d4c107565746948260e0967a4c9c7f
-
SSDEEP
384:uyXrVqFWus8PL8wi4OEwH8TIbE91r2fRGJYJvimP49eb:ucrOJ5P3DOqnYJQEvTP49G
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.turathmall-ksa.com - Port:
587 - Username:
[email protected] - Password:
Julliannah123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 9 2636 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
mmtrade56539.exemmtrade56539.exepid process 2684 mmtrade56539.exe 2868 mmtrade56539.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 2636 EQNEDT32.EXE 2636 EQNEDT32.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mmtrade56539.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\SguRK = "C:\\Users\\Admin\\AppData\\Roaming\\SguRK\\SguRK.exe" mmtrade56539.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mmtrade56539.exedescription pid process target process PID 2684 set thread context of 2868 2684 mmtrade56539.exe mmtrade56539.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1428 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mmtrade56539.exepid process 2868 mmtrade56539.exe 2868 mmtrade56539.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mmtrade56539.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 2868 mmtrade56539.exe Token: SeShutdownPrivilege 1428 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEmmtrade56539.exepid process 1428 WINWORD.EXE 1428 WINWORD.EXE 2868 mmtrade56539.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
EQNEDT32.EXEmmtrade56539.exeWINWORD.EXEdescription pid process target process PID 2636 wrote to memory of 2684 2636 EQNEDT32.EXE mmtrade56539.exe PID 2636 wrote to memory of 2684 2636 EQNEDT32.EXE mmtrade56539.exe PID 2636 wrote to memory of 2684 2636 EQNEDT32.EXE mmtrade56539.exe PID 2636 wrote to memory of 2684 2636 EQNEDT32.EXE mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 2684 wrote to memory of 2868 2684 mmtrade56539.exe mmtrade56539.exe PID 1428 wrote to memory of 2364 1428 WINWORD.EXE splwow64.exe PID 1428 wrote to memory of 2364 1428 WINWORD.EXE splwow64.exe PID 1428 wrote to memory of 2364 1428 WINWORD.EXE splwow64.exe PID 1428 wrote to memory of 2364 1428 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aeeab5a8e121ee1c3f075068d53a94b8b769fcb92376454f28bbfee12812514f.docx"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2364
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\mmtrade56539.exe"C:\Users\Admin\AppData\Roaming\mmtrade56539.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Roaming\mmtrade56539.exe"C:\Users\Admin\AppData\Roaming\mmtrade56539.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD56b4300b7963aec29df1df719336106ad
SHA10c7c7ff3f937413ed8712cfd149b4e17c06daf05
SHA256198c2aa037017d24c10ded078b206e77308af7d46ed6c493f647c9b4817b4327
SHA5126a6906038faad117bc7c59e36f18c792431d414a3c0a797f8a48c0a4e596890ae292ce2bb795c9db03e77a96b848707dd8b7ebe4e604ad0ef9f5f6ac4af7dc66
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{11F5C868-DEEC-4557-A489-F0448FAF7D5D}.FSD
Filesize128KB
MD5f332128bc6eafccc657cf1906924fc3e
SHA155f1b52920108f3811ad0216daa2747120a20899
SHA2568661e239992e003c709379ac368fed8c73321c77db58f9d6aeb9ead1a4af5e1b
SHA512b85fefc8b1e525624867787a36773dcca936ec71dc99b7cab802ac4b7038a5af7124e44dc4b4407604b67e3f32abe58a5b61625ca9a80068544fdb0b5431f148
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QE8B45JM\mmtradezx[1].doc
Filesize170KB
MD553d7c396c9045ba0c9f0982f92f7443d
SHA16df40c3bae9dfd9ecf745a0401960aa5bdb62e51
SHA25698dccf921b555c4e4d70ecf5626f651b9d87d1aa2c83945ef661d41cba07d354
SHA5128bb6109bbda985c600da04db948399e6dded70171f6cab9d3f3ab13e99005071ec5fda3049be2d2c83a6f9b587688157c3588d33570614193a5566f25bcb201e
-
Filesize
128KB
MD5763c9779a74563664336fa3ff419daa1
SHA10269cb8dee0f9777bbd0cced42efa8e1488b9aba
SHA256798b7fa8c366cf673f0196d1bb32a5832263594f16dd67be37038499d05edd96
SHA5122df88dfcc1854fb7a78c7995587de7796015a40050a65a18c13730cca95473a6141856aac2a5544cc8808fb8d4054bc14ff0b567770a0da95f81178a9b1942d5
-
Filesize
20KB
MD51dc5aea88816395eddb6e056a2cfb3d5
SHA18df1688f1692e37b110dfe872495122805f3d7e9
SHA256c0e6e559f315348b69651ac723d799b4d2e1ccc8459208dbd0bb6003d287cc29
SHA51205a10ce5013b7688fb853193de5635e0f7f01060af72c19415f308d18f9aa843ff42b14a993488ef83cd59511633556f015385b96fc6af85537290bc60c3e6a8
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
649KB
MD5ad5bb07ce43df4278b18681fc5aa47b4
SHA1a0ef56d019bb8bda3e3063eea3b2a530cc5c379a
SHA256e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296
SHA5127b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6
-
Filesize
649KB
MD5ad5bb07ce43df4278b18681fc5aa47b4
SHA1a0ef56d019bb8bda3e3063eea3b2a530cc5c379a
SHA256e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296
SHA5127b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6
-
Filesize
649KB
MD5ad5bb07ce43df4278b18681fc5aa47b4
SHA1a0ef56d019bb8bda3e3063eea3b2a530cc5c379a
SHA256e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296
SHA5127b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6
-
Filesize
649KB
MD5ad5bb07ce43df4278b18681fc5aa47b4
SHA1a0ef56d019bb8bda3e3063eea3b2a530cc5c379a
SHA256e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296
SHA5127b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6
-
Filesize
649KB
MD5ad5bb07ce43df4278b18681fc5aa47b4
SHA1a0ef56d019bb8bda3e3063eea3b2a530cc5c379a
SHA256e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296
SHA5127b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6
-
Filesize
649KB
MD5ad5bb07ce43df4278b18681fc5aa47b4
SHA1a0ef56d019bb8bda3e3063eea3b2a530cc5c379a
SHA256e12160051d05c920fe17a344ede8466f785b82603ebeb4071fbad0ce2b8f3296
SHA5127b574e9b35a2253cf83428e605ac35f550fb3c8302ce68d3c1abc36be96535591d6c585a4f84f0e232a8fa4e2eed0e70233a3e5b69f6266da8d11cccd39be5b6