agenttesla | ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

orden de compra.xls
Size

391KB
MD5

060f999d180fb2c37059815ebd76e38e
SHA1

605c01289d5b683a3d5b5eb17ebef72bfc388f91
SHA256

ac07988ba9649741c59d16698f8c33295b3ff7943eeccbafe6f988e3e3c10908
SHA512

a4449aa855a6426106516bf11499902f402ed4589fa7f11e628fec9efbcd6b8a6fcabdfb02d2fe3bf20a41889c734538e77194a011112b4dc06ae94e6b9c066e
SSDEEP

6144:Vn1m9kdbXgb8y3ZetJs0hdMJUXTdU5u/LbquQFBql4yUhNttSMS6EgU0rh:VOesblwtqSdLTdoaNQO6hQX+h

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1064	EQNEDT32.EXE

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 1 IoCs

pid	Process
2680	wlanext.exe

Loads dropped DLL 1 IoCs

pid	Process
1064	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1064	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2388	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe
2680	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	wlanext.exe
Token: SeShutdownPrivilege	1404	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2388	EXCEL.EXE
2388	EXCEL.EXE
2388	EXCEL.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2680	1064	EQNEDT32.EXE	31
PID 1064 wrote to memory of 2680	1064	EQNEDT32.EXE	31
PID 1064 wrote to memory of 2680	1064	EQNEDT32.EXE	31
PID 1064 wrote to memory of 2680	1064	EQNEDT32.EXE	31
PID 1404 wrote to memory of 1912	1404	WINWORD.EXE	32
PID 1404 wrote to memory of 1912	1404	WINWORD.EXE	32
PID 1404 wrote to memory of 1912	1404	WINWORD.EXE	32
PID 1404 wrote to memory of 1912	1404	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\orden de compra.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1912

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Roaming\wlanext.exe
  "C:\Users\Admin\AppData\Roaming\wlanext.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
9ca0c8899f67b1fada8804c370f7e4c7

SHA1
66fdc83448e7388def0680d8b4299ac04fdbfcd0

SHA256
6a9f700b55d9bce93d4edd5940ca60a5211b8252c5ed5cb47814d5b40b4e942d

SHA512
a08fdf4cae7267d6e6a6210427a747b35ffd58cc73c5264376e5e2b0bb1ef2377f12b84426bbc5c20ded83a338bb728a685c0510191dda0f1d11990c586ca44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{EA77349D-A088-497F-9CCB-AB7A24B2CC82}.FSD

Filesize
128KB

MD5
ec635cdf70c6e499469b51947a93df60

SHA1
4ad86b3a7d415444832cf721e558044379b36c8e

SHA256
e090f69dee3e51fbdaf4fd4a62ea2d47d079f67f1c4dcca015796afd6c00d049

SHA512
1f52e51d8880987dbf5b592e3ba1c9f6e1c56d15367d77a178ea5e1025fc4ad5ba2346c9d028fdd6345bfe10470d2e43b564d073011c7fa5bfb8d8cbd7d7821b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
e07bc293be00f323f949e0005573222e

SHA1
c4e06bec3256142f4b6089cce68badb9ce94375c

SHA256
3e16ce10acc077f341ccdab01ebe3b8c2aeade81ef21439ba7bab8ae738fe27b

SHA512
8def73661f8df602f46a63ac79b00d7715e49210f2911f3a446bba4362a5d20a4ba9d8d3ac8cc72c7d2e2d4a1b9743f6ac8f2e31afff72012f2224129e58238d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3B64136D-9C9B-49B9-B60E-0D959EAC29CF}.FSD

Filesize
128KB

MD5
bb01ae6481c5de11ed6e35bf5e72cfac

SHA1
f0f8ac2bdeb5db21c63aaf06669a3c6c06debb62

SHA256
58d1bcd310fc1965fce190f96ae02409779ae1dde4e7c00c156087d0d63d13ff

SHA512
ac8b53b4ee34819eff62cfcd4e4b0d5c184d85cf97993983f86d2b5c879b25a89330e46f2f3156a0e4188a2da65b76feed2bf710539942648f7cea2a9c9fa61e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VYMWFB8D\microsoftunderstandwhyneedtodeleteentirehistorycachecookieverything[1].doc

Filesize
59KB

MD5
ed5d8e3f7b96288d349f167b737b0e32

SHA1
d855f8bac1e28f42abe38db048e8839615db1be4

SHA256
f118d7b310e09917603c15c5e6199f0bc04848ff9b3042b04fc8a94720a55d44

SHA512
4b7a378ef8c805342b993129911f020b8a81eaada910329cedab1755177098a46d7c0bdea84451c8fb5801e5a998a8786a0ef57576edca169f55373ff0960037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CCD2C72F.doc

Filesize
59KB

MD5
ed5d8e3f7b96288d349f167b737b0e32

SHA1
d855f8bac1e28f42abe38db048e8839615db1be4

SHA256
f118d7b310e09917603c15c5e6199f0bc04848ff9b3042b04fc8a94720a55d44

SHA512
4b7a378ef8c805342b993129911f020b8a81eaada910329cedab1755177098a46d7c0bdea84451c8fb5801e5a998a8786a0ef57576edca169f55373ff0960037

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5CD70436-E06B-481A-AD1C-A60DADBC89A8}

Filesize
128KB

MD5
5457d079852af2992bcaf9a4e79ce2b4

SHA1
7687ba6c67e7b4628f236baed7f6fd4b506f8e32

SHA256
882d19d3f61a60470e79ffcb19feb71d16cf033a0b6e99114d8e8d6f368f898d

SHA512
404e10e4d3821e1740071f38e06420473b67593e7741d368e65908e4b31820544cc98992fe20127b6255f47cdcdec8d3704890ec26ff88d85a39bbeccf372dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
136B

MD5
076ecf1f06214522dc710f1db15ab3fa

SHA1
941643f7d24d0d2c9a187572050425c02d514016

SHA256
47391a4bb3036f08d2c48ff8ee5b6556f0c682c8945cd616de98a812e2fd713e

SHA512
bfd4667824b3cc5740b1f98bf489621209dc79298a3f15715b1306ffb1fdcdc03fc867f9a0f5e16da4e13f756a1832b19a697e0f86db2dc4bb942b75f5bd4eeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
b503745d52e2b5d3edd689847b40f221

SHA1
6dcdd574ac4addb91772819ba99cf50c9c116e0f

SHA256
2f770810d46332b4842cee95b644f4e35326a23472ec671a924df54ca8fd9a34

SHA512
a39008ccb62c26a6b72e60a0a16a154d2016860d8647938ffb866b610be4ca8362eab80e358cdf8953c1ceb1ad51446f8e0ccaf818eb4543a3e3840e4ea93767

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
C:\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
\Users\Admin\AppData\Roaming\wlanext.exe

Filesize
666KB

MD5
e81d3a6286beea59a2fe264b2b4ee156

SHA1
acbff15ea6b56cb04810e826bfb555b5c2b7efae

SHA256
808dc37ef54a4c95bb66f4773d8a84d9b6f548b00bae26ee514996a7f46d2a04

SHA512
5239f0f66a3d2b2855d104ebd2e4f3f30766a7fb04f1fc4c6d93139f43ee3e8befd6fd2043d1bcd5a3860af96f0527fb7e784162fbc32367fcb27da80db27d6b

Download Submit
memory/1404-106-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1404-11-0x0000000003C00000-0x0000000003C02000-memory.dmp

Filesize
8KB

Download
memory/1404-5-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1404-132-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/1404-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1404-3-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

Filesize
4KB

Download
memory/2388-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2388-135-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/2388-101-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/2388-1-0x0000000072A5D000-0x0000000072A68000-memory.dmp

Filesize
44KB

Download
memory/2388-12-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/2680-99-0x00000000047C0000-0x0000000004800000-memory.dmp

Filesize
256KB

Download
memory/2680-105-0x0000000000740000-0x0000000000782000-memory.dmp

Filesize
264KB

Download
memory/2680-100-0x0000000000570000-0x000000000058A000-memory.dmp

Filesize
104KB

Download
memory/2680-107-0x000000006AE60000-0x000000006B54E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-108-0x00000000047C0000-0x0000000004800000-memory.dmp

Filesize
256KB

Download
memory/2680-97-0x000000006AE60000-0x000000006B54E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-96-0x00000000000D0000-0x000000000017C000-memory.dmp

Filesize
688KB

Download
memory/2680-104-0x0000000005300000-0x000000000537E000-memory.dmp

Filesize
504KB

Download
memory/2680-103-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2680-102-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download